From: Chris Larson (clarson52@xxxxxxxx)
Date: Thu Dec 06 2001 - 19:41:11 GMT-3
You could say ip route 10.1.1.0 255.255.255.0 serial0
Serial 0 has a crypto map that says to encrypt traffic to 10.1.1.0
or you might not be IPSEC'ing the routing protocol so you would have a next
hop and the next hop for 10.1.1.0 would already be in your table and the
crypto map would ony define certain traffic based on ports that get's
encrypted.
----- Original Message -----
From: "Brian Lodwick" <xpranax@hotmail.com>
To: <sam@munzani.com>
Cc: <ccielab@groupstudy.com>
Sent: Thursday, December 06, 2001 5:20 PM
Subject: Re: VPN questions
> I understand that you must re-encapsulate the GRE tunnel in an IPSec
tunnel
> if you want to use any other protocol other than IP, but what I am saying
is
> how can you route down a specific tunnel if you aren't using a GRE tunnel?
> If you create a GRE tunnel you are creating a virtual tunnel interface,
but
> when you create a IPSec tunnel a virtual tunnel is not created. Therefore
> you cannot route down a tunnel.
> So how could you ever route down the IPSec tunnel without a GRE tunnel?
Even
> if you were only encapsulating IP in IPSec, you cannot say
> ip route 10.1.1.0 255.255.255.0 tunnel 0
> for an IPsec tunnel unless you use a GRE tunnel correct?
> I just wonder if there is a way to create a Virtual Tunnel interface with
> IPSec as the encapsulation type, instead of encapsulating twice.
>
> >>>Brian
>
>
> >From: "Sam Munzani" <sam@munzani.com>
> >Reply-To: "Sam Munzani" <sam@munzani.com>
> >To: "Brian Lodwick" <xpranax@hotmail.com>, <Chris.Larson@ed.gov>
> >CC: <ccielab@groupstudy.com>
> >Subject: Re: VPN questions
> >Date: Thu, 6 Dec 2001 16:01:22 -0600
> >
> >Bryan,
> >
> >You don't have much choice if you want any other protocol than IP
> >encapsulated. If security is not an issue, GRE without IPSEC would save
you
> >from extra overhead. However if security is an issue, you have to use
IPSEC
> >on GRE tunneled traffic to secure it. GRE doesn't address security and
> >IPSEC
> >doesn't address any other protocol than IP.
> >
> >Hope this helps.
> >
> >Sam Munzani
> >CCIE # 6479, CCDP, CCNP, CISSP, CCSE, SCO ACE
> >
> > > Yep, that is definitely a nice feature of Cisco's implementation of
> >IPSec
> > > tunnels, that they can re-encapsulate several encapsulation types
> >including
> > > GRE into an IPSec tunnel. For my job I design and configure VPNs on
> >Lucent's
> > > VPN routers and they can only re-encapsulate IP packets in IPSec. As
my
> > > company prepares to offer Cisco VPNs we have alot of interested
clients,
> >so
> > > I have to make sure I am prepared to implement a large scale Cisco VPN
> >with
> > > all of the bells and whistles we could offer with the Lucent VPN
> >solution.
> > > We do alot of stuff where we send routes to a tunnel interface not
next
> > > hops. The reason we do this is so that the company can have all of
their
> > > spoke sites locked down except for IPSec and IKE via an ACL. Then for
> > > traffic destined for the internet the spoke sites would have a default
> >route
> > > via the tunnel to the hub site. Then at the hub site you can have a
> > > centrally located firewall for all Internet traffic. When you build
> >tunnels
> > > on the Lucent box you build instances of IPSec for each tunnel. Then
> >when
> >we
> > > go to route down the tunnel in Cisco terminology we would do something
> >like
> > > below.
> > > example:
> > > ip route 0.0.0.0 0.0.0.0 ipsec.15
> > > The thing is when you create an IPSec tunnel on a Cisco box you don't
> >get
> >a
> > > virtual tunnel interface. I just wonder if you must build a GRE tunnel
> >and
> > > encapsulate twice to do something like this, which seems like unneeded
> > > additional overhead? I am also trying to find documentation on the way
> >Cisco
> > > recommends doing something like this? I am very excited for the new
> >Cisco
> > > VPN book to come out one Dec.15th, but until then...
> > > Sorry for the long winded message.
> > > Thanks
> > >
> > > >>>Brian
> > >
> > >
> > > >From: "Larson, Chris (Contractor)" <Chris.Larson@ed.gov>
> > > >To: 'Brian Lodwick' <xpranax@hotmail.com>
> > > >Subject: RE: VPN questions
> > > >Date: Thu, 6 Dec 2001 15:34:13 -0500
> > > >
> > > >The interesting things to do are like to put IPX through an IPSEC
> >tunnel.
> > > >Not terribly complicated once you know how or putting only Telnet or
> >TCP
> >on
> > > >certain ports though. Not really sooo complex but it makes the config
a
> > > >little more interesting.
> > > >
> > > >
> > > >
> > > >-----Original Message-----
> > > >From: Brian Lodwick [mailto:xpranax@hotmail.com]
> > > >Sent: Thursday, December 06, 2001 3:13 PM
> > > >To: ccielab@groupstudy.com
> > > >Subject: VPN questions
> > > >
> > > >
> > > >I would like to find out how people are configuring their VPN's so
that
> > > >they
> > > >
> > > >can come up with complex situations.
> > > >
> > > >Is there a way to configure static routes to go down a certain
tunnel?
> > > >
> > > >Since Cisco has implemented IKE keepalives into the newest code, does
> > > >anyone
> > > >
> > > >know if you can configure HSRP to track the IPSec tunnel?
> > > >
> > > >Can use policy routing pointing to tunnel interfaces?
> > > >
> > > >Has anyone succesfully implemented a design running a routing
protocol
> >over
> > > >the tunnels on a large scale fully meshed VPN?
> > > >
> > > >Has anyone done any testing to determine the impact using different
> > > >transform sets has on throuput?
> > > >
> > > >Have you run into any bugs?
> > > >
> > > >Anything else interesting?
> > > >
> > > > >>>Brian
> > > >
> > > >
> > > >
> > > >
> > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:39 GMT-3