>From your original email. by permitting ip you're allowing everything over the IPSec tunnel. If you just permit gre you're just allowing the gre tunnel over the ipsec tunnel. You might want to do this to transport something that ipsec can't handle by itself, like AppleTalk or IPX.
You're thinking of it as a "flavor." That's the wrong mind set for this concept. Just think of it as a regular ipsec tunnel and all your acl does, is just what any other acl does... controls granularity. ----- Original Message ----- From: "Michael Jia" To: ; Sent: Sunday, July 06, 2003 2:56 PM Subject: GRE with IPsec > Hi, > > Anyone has good reference doc about GRE with Ipsec . > > I am a little confused about 2 flavors of crypto ACL used: > A) permit ip > B) permit gre any any > > It seems option A is encry first then GRE encap, while option B is encap > first then encrypt. > > Is there a good ref about these setups? > > > Thanks > Michael Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71967&t=71967 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
