From: Brian Lodwick (xpranax@xxxxxxxxxxx)
Date: Thu Dec 06 2001 - 18:15:34 GMT-3
Yep, that is definitely a nice feature of Cisco's implementation of IPSec
tunnels, that they can re-encapsulate several encapsulation types including
GRE into an IPSec tunnel. For my job I design and configure VPNs on Lucent's
VPN routers and they can only re-encapsulate IP packets in IPSec. As my
company prepares to offer Cisco VPNs we have alot of interested clients, so
I have to make sure I am prepared to implement a large scale Cisco VPN with
all of the bells and whistles we could offer with the Lucent VPN solution.
We do alot of stuff where we send routes to a tunnel interface not next
hops. The reason we do this is so that the company can have all of their
spoke sites locked down except for IPSec and IKE via an ACL. Then for
traffic destined for the internet the spoke sites would have a default route
via the tunnel to the hub site. Then at the hub site you can have a
centrally located firewall for all Internet traffic. When you build tunnels
on the Lucent box you build instances of IPSec for each tunnel. Then when we
go to route down the tunnel in Cisco terminology we would do something like
below.
example:
ip route 0.0.0.0 0.0.0.0 ipsec.15
The thing is when you create an IPSec tunnel on a Cisco box you don't get a
virtual tunnel interface. I just wonder if you must build a GRE tunnel and
encapsulate twice to do something like this, which seems like unneeded
additional overhead? I am also trying to find documentation on the way Cisco
recommends doing something like this? I am very excited for the new Cisco
VPN book to come out one Dec.15th, but until then...
Sorry for the long winded message.
Thanks
>>>Brian
>From: "Larson, Chris (Contractor)" <Chris.Larson@ed.gov>
>To: 'Brian Lodwick' <xpranax@hotmail.com>
>Subject: RE: VPN questions
>Date: Thu, 6 Dec 2001 15:34:13 -0500
>
>The interesting things to do are like to put IPX through an IPSEC tunnel.
>Not terribly complicated once you know how or putting only Telnet or TCP on
>certain ports though. Not really sooo complex but it makes the config a
>little more interesting.
>
>
>
>-----Original Message-----
>From: Brian Lodwick [mailto:xpranax@hotmail.com]
>Sent: Thursday, December 06, 2001 3:13 PM
>To: ccielab@groupstudy.com
>Subject: VPN questions
>
>
>I would like to find out how people are configuring their VPN's so that
>they
>
>can come up with complex situations.
>
>Is there a way to configure static routes to go down a certain tunnel?
>
>Since Cisco has implemented IKE keepalives into the newest code, does
>anyone
>
>know if you can configure HSRP to track the IPSec tunnel?
>
>Can use policy routing pointing to tunnel interfaces?
>
>Has anyone succesfully implemented a design running a routing protocol over
>the tunnels on a large scale fully meshed VPN?
>
>Has anyone done any testing to determine the impact using different
>transform sets has on throuput?
>
>Have you run into any bugs?
>
>Anything else interesting?
>
> >>>Brian
>
>
>
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:39 GMT-3