RE: IPSec Tunnel Mode vs IPINIP w/CET

From: Jason T. Rohm (jtrohm@xxxxxxxxxxx)
Date: Mon Feb 05 2001 - 20:36:32 GMT-3

• Next message: Hebert, Cory J (cory.hebert@xxxxxxxx): "Token ring MTU"
• Previous message: Padhu (LFG): "RE: TIME"
• Maybe in reply to: Jason T. Rohm: "IPSec Tunnel Mode vs IPINIP w/CET"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Ok,

So basically, if I want to use dynamic routing protocols, I still have to
use my IPinIP tunnel interface and use IPSec to encrypt the IPinIP packets?
That isn't much different that using CET (other than you can use IKE for key
exchange/expiration).

Do I have this correct?

-Jason

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Kyle Galusha
Sent: Monday, February 05, 2001 5:12 PM
To: Jason T. Rohm; CCIELIST (E-mail)
Subject: Re: IPSec Tunnel Mode vs IPINIP w/CET

See if this makes sense. IPSEC will not support multicast/broadcast by
itself. You will need to do a GRE tunnel between you IPSEC peers to carry
the multicast hellos for OSPF. So put a tunnel interface on the source and
destination routers for your IPSEC/GRE tunnels. THe GRE tunnel will carry
the routing protocol hellos and the IPSEC will carry the encrypted data that
you specify in your crypto access list.
See these links one for IKE and one for IPSEC
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur
_c/scprt4/scipsec.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur
_c/scprt4/scike.htm
Kyle

At 04:40 PM 2/5/2001 -0600, Jason T. Rohm wrote:
>I am currently using an IPINIP tunnel with CET encryption for a LAN to LAN
>VPN.
>
>I would like to convert to a pure IPSec tunnel mode connection between the
>sites (the CET/IPINIP stuff works fine, I just need to learn IPSec before
my
>test).
>
>I am confused on how to get dynamic routing working across the IPSec
>connection.
>
>I run OSPF across the tunnel interface now and use default routing for
>internet access. I can make the connectivity work if I statically define
>routes across the IPSec interface, but since I don't have a tunnel
interface
>to work with, I don't know how to go about getting OPSF to work.
>
>Can someone point me in the right direction on this?
>
>Thank you,
>
> Jason T. Rohm
> Sr. Network Engineer
> Wire Technologies, Inc
> jtrohm@wiretech-inc.com
> (920) 766-5172
>

• Next message: Hebert, Cory J (cory.hebert@xxxxxxxx): "Token ring MTU"
• Previous message: Padhu (LFG): "RE: TIME"
• Maybe in reply to: Jason T. Rohm: "IPSec Tunnel Mode vs IPINIP w/CET"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:37 GMT-3