Re: VPN questions

From: Brian Lodwick (xpranax@xxxxxxxxxxx)
Date: Thu Dec 06 2001 - 19:20:51 GMT-3

• Next message: Jim Brown: "RE: Multicast app"
• Previous message: Kirby, Ron: "RE: Multicast app"
• Maybe in reply to: Brian Lodwick: "VPN questions"
• Next in thread: Sam Munzani: "Re: VPN questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I understand that you must re-encapsulate the GRE tunnel in an IPSec tunnel
if you want to use any other protocol other than IP, but what I am saying is
how can you route down a specific tunnel if you aren't using a GRE tunnel?
If you create a GRE tunnel you are creating a virtual tunnel interface, but
when you create a IPSec tunnel a virtual tunnel is not created. Therefore
you cannot route down a tunnel.
So how could you ever route down the IPSec tunnel without a GRE tunnel? Even
if you were only encapsulating IP in IPSec, you cannot say
ip route 10.1.1.0 255.255.255.0 tunnel 0
for an IPsec tunnel unless you use a GRE tunnel correct?
I just wonder if there is a way to create a Virtual Tunnel interface with
IPSec as the encapsulation type, instead of encapsulating twice.

>>>Brian

>From: "Sam Munzani" <sam@munzani.com>
>Reply-To: "Sam Munzani" <sam@munzani.com>
>To: "Brian Lodwick" <xpranax@hotmail.com>, <Chris.Larson@ed.gov>
>CC: <ccielab@groupstudy.com>
>Subject: Re: VPN questions
>Date: Thu, 6 Dec 2001 16:01:22 -0600
>
>Bryan,
>
>You don't have much choice if you want any other protocol than IP
>encapsulated. If security is not an issue, GRE without IPSEC would save you
>from extra overhead. However if security is an issue, you have to use IPSEC
>on GRE tunneled traffic to secure it. GRE doesn't address security and
>IPSEC
>doesn't address any other protocol than IP.
>
>Hope this helps.
>
>Sam Munzani
>CCIE # 6479, CCDP, CCNP, CISSP, CCSE, SCO ACE
>
> > Yep, that is definitely a nice feature of Cisco's implementation of
>IPSec
> > tunnels, that they can re-encapsulate several encapsulation types
>including
> > GRE into an IPSec tunnel. For my job I design and configure VPNs on
>Lucent's
> > VPN routers and they can only re-encapsulate IP packets in IPSec. As my
> > company prepares to offer Cisco VPNs we have alot of interested clients,
>so
> > I have to make sure I am prepared to implement a large scale Cisco VPN
>with
> > all of the bells and whistles we could offer with the Lucent VPN
>solution.
> > We do alot of stuff where we send routes to a tunnel interface not next
> > hops. The reason we do this is so that the company can have all of their
> > spoke sites locked down except for IPSec and IKE via an ACL. Then for
> > traffic destined for the internet the spoke sites would have a default
>route
> > via the tunnel to the hub site. Then at the hub site you can have a
> > centrally located firewall for all Internet traffic. When you build
>tunnels
> > on the Lucent box you build instances of IPSec for each tunnel. Then
>when
>we
> > go to route down the tunnel in Cisco terminology we would do something
>like
> > below.
> > example:
> > ip route 0.0.0.0 0.0.0.0 ipsec.15
> > The thing is when you create an IPSec tunnel on a Cisco box you don't
>get
>a
> > virtual tunnel interface. I just wonder if you must build a GRE tunnel
>and
> > encapsulate twice to do something like this, which seems like unneeded
> > additional overhead? I am also trying to find documentation on the way
>Cisco
> > recommends doing something like this? I am very excited for the new
>Cisco
> > VPN book to come out one Dec.15th, but until then...
> > Sorry for the long winded message.
> > Thanks
> >
> > >>>Brian
> >
> >
> > >From: "Larson, Chris (Contractor)" <Chris.Larson@ed.gov>
> > >To: 'Brian Lodwick' <xpranax@hotmail.com>
> > >Subject: RE: VPN questions
> > >Date: Thu, 6 Dec 2001 15:34:13 -0500
> > >
> > >The interesting things to do are like to put IPX through an IPSEC
>tunnel.
> > >Not terribly complicated once you know how or putting only Telnet or
>TCP
>on
> > >certain ports though. Not really sooo complex but it makes the config a
> > >little more interesting.
> > >
> > >
> > >
> > >-----Original Message-----
> > >From: Brian Lodwick [mailto:xpranax@hotmail.com]
> > >Sent: Thursday, December 06, 2001 3:13 PM
> > >To: ccielab@groupstudy.com
> > >Subject: VPN questions
> > >
> > >
> > >I would like to find out how people are configuring their VPN's so that
> > >they
> > >
> > >can come up with complex situations.
> > >
> > >Is there a way to configure static routes to go down a certain tunnel?
> > >
> > >Since Cisco has implemented IKE keepalives into the newest code, does
> > >anyone
> > >
> > >know if you can configure HSRP to track the IPSec tunnel?
> > >
> > >Can use policy routing pointing to tunnel interfaces?
> > >
> > >Has anyone succesfully implemented a design running a routing protocol
>over
> > >the tunnels on a large scale fully meshed VPN?
> > >
> > >Has anyone done any testing to determine the impact using different
> > >transform sets has on throuput?
> > >
> > >Have you run into any bugs?
> > >
> > >Anything else interesting?
> > >
> > > >>>Brian
> > >
> > >
> > >
> > >
> > >

• Next message: Jim Brown: "RE: Multicast app"
• Previous message: Kirby, Ron: "RE: Multicast app"
• Maybe in reply to: Brian Lodwick: "VPN questions"
• Next in thread: Sam Munzani: "Re: VPN questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:39 GMT-3