Shulou(Shulou.com)06/01 Report--

Many places see the description of SVTI is gre over ipsec, because this thing is encrypted, can not see the content, can not say anything.

Happened to see the Cisco community http://www.cisco-club.com.cn/space-113351-do-blog-id-8866.html about juniper SRX and Cisco couplet SVTI, took a specific look at the juniper configuration, completely ipsec interface mode, without gre participation, presumably some people see the configuration is tunnel or gre things, can drink SRX docking success will definitely use the same technology, will not use gre. Want to verify, but the encrypted content can not be seen, think over and over, you can see whether the package size is the same, you can see whether it is the same.

In the experiment, the SVTI,R2 on R1 and the traditional crypto map,R4 on R1 are both matched.

R1

Crypto isakmp policy 10

Authentication pre-share

Crypto isakmp key cisco address 40.1.1.2

!

!

Crypto ipsec transform-set ESP-des-md5 esp-des esp-md5-hmac

!

Crypto ipsec profile ipsec-profile

Set transform-set ESP-des-md5

!

!

!

!

!

Interface Loopback0

Ip address 1.1.1.1 255.255.255.255

!

Interface Tunnel0

Ip address 172.16.1.1 255.255.255.0

Tunnel source 61.1.1.1

Tunnel destination 40.1.1.2

Tunnel mode ipsec ipv4

Tunnel protection ipsec profile ipsec-profile

!

Interface FastEthernet0/0

Ip address 61.1.1.1 255.255.255.0

Duplex auto

Speed auto

!

No ip http server

No ip http secure-server

Ip route 0.0.0.0 0.0.0.0 61.1.1.3

Ip route 1.1.1.4 255.255.255.255 Tunnel0

R2

Crypto isakmp policy 10

Authentication pre-share

Crypto isakmp key cisco address 40.1.1.2

!

!

Crypto ipsec transform-set ESP-des-md5 esp-des esp-md5-hmac

!

Crypto map mm 10 ipsec-isakmp

Set peer 40.1.1.2

Set transform-set ESP-des-md5

Match address 100

!

!

!

!

Interface Loopback0

Ip address 1.1.1.2 255.255.255.255

!

Interface FastEthernet0/0

Ip address 61.1.1.2 255.255.255.0

Duplex auto

Speed auto

Crypto map mm

!

No ip http server

No ip http secure-server

Ip route 0.0.0.0 0.0.0.0 61.1.1.3

!

!

!

Access-list 100 permit ip host 1.1.1.2 host 1.1.1.4

R4

Crypto isakmp policy 10

Authentication pre-share

Crypto isakmp key cisco address 61.1.1.1

Crypto isakmp key cisco address 61.1.1.2

!

!

Crypto ipsec transform-set ESP-des-md5 esp-des esp-md5-hmac

!

Crypto ipsec profile ipsec-profile

Set transform-set ESP-des-md5

!

!

Crypto map mm 10 ipsec-isakmp

Set peer 61.1.1.2

Set transform-set ESP-des-md5

Match address 100

!

!

!

!

Interface Loopback0

Ip address 1.1.1.4 255.255.255.255

!

Interface Tunnel0

Ip address 172.16.1.4 255.255.255.0

Tunnel source 40.1.1.2

Tunnel destination 61.1.1.1

Tunnel mode ipsec ipv4

Tunnel protection ipsec profile ipsec-profile

!

Interface FastEthernet0/0

Ip address 40.1.1.2 255.255.255.0

Duplex auto

Speed auto

Crypto map mm

!

No ip http server

No ip http secure-server

Ip route 0.0.0.0 0.0.0.0 40.1.1.1

Ip route 1.1.1.1 255.255.255.255 Tunnel0

!

!

!

Access-list 100 permit ip host 1.1.1.4 host 1.1.1.2

Ping R4 from R1 and R2 respectively, by grabbing the packet, comparing the size of the ESP packet, exactly the same, and then testing with telnet, it is found that the size of the packet is still the same, and the SVTI packet is no different from the original IPsec, which is not the so-called gre over ipsec.

See the Cisco website http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_***ips/configuration/15-s/sec-ipsec-virt-tunnl.html

SVTI configurations can be used for site-to-site connectivity in which a tunnel provides always-on access between two sites. The advantage of using SVTIs as opposed to crypto map configurations is that users can enable dynamic routing protocols on the tunnel interface without the extra 24 bytes required for GRE headers, thus reducing the bandwidth for sending encrypted data.

People didn't say to encapsulate gre, just for comparison, it can be dynamically routed and there is no 24-byte header of gre.

The following picture shows the contents of the package.

This is the ping package of the original ipsec site packaged as ESP.

This is SVTI, compared with the above, size is 166,

This is gre over ipsec's, and the size is 24% bigger, which matches very well with the Cisco website.

This is a normal icmp package, with 52 bytes added after ipsec. It can be seen that encryption consumes a lot of payload.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.