From: Doherty Kevin SSgt 325CS/SCBN (Kevin.Doherty@xxxxxxxxxxxxxx)
Date: Wed Mar 06 2002 - 10:30:53 GMT-3
This document and others similar address this very problem. Cisco
recommends that you always establish GRE tunnels outside of the IPSEC links
in this situation. GRE will pass the routing MC updates through the IPSEC
link in a unicast format. HTH
http://www.cisco.com/warp/public/707/ipsec_gre.shtml
<http://www.cisco.com/warp/public/707/ipsec_gre.shtml>
-----Original Message-----
From: Sandro Ciffali [ mailto:sandyccie@yahoo.com
<mailto:sandyccie@yahoo.com> ]
Sent: Tuesday, March 05, 2002 4:57 PM
To: Shadi; Ahmed Mamoor Amimi
Cc: ccielab
Subject: Re: IPSec question
I had the same problem working with eigrp and ipsec, i
had to deny eigrp any any, here is the link which said
to deny multicast with ipsec,
Here it is, I don't know how nmew this link is, But it
clearly say "Currently encryption of broadcast and
multicast packet is not supported. If secure routing
updates are important in the network design, a
protocol with authentication built ins should be used.
Check at
http://www.cisc.com/warp/public/707/13.html
<http://www.cisc.com/warp/public/707/13.html>
Sandro
--- Shadi <ccie@investorsgrp.com> wrote:
> Hi all,
>
> Does IPsec work with Multicasting, I was trying to
> encrypte a link between
> two routers having OSPF routing protocol between
> them, they could not make
> adjancy between them, and it says that IPsec is not
> encryoting 224.0.0.5
>
> So is there any way to make IPSEC work with
> Multicasting?
>
>
> ----- Original Message -----
> From: "Ahmed Mamoor Amimi" <mamoor@ieee.org>
> To: "Lab Candidate" <labccie@yahoo.com>;
> <ccielab@groupstudy.com>
> Sent: Tuesday, March 05, 2002 7:19 AM
> Subject: Re: IPSec question
>
>
> > ur right ...
> > that is the only access-list that u have to apply
> and IPSec will take care
> > of the traffic that is returning or coming in to
> that
> > match the access-list.... by saying MATCH the
> ACCESS-LIST means that IPSec
> > will try to match the destination of the
> > packet with the source of the access-list if they
> match and data
> unprotected
> > then IPSec will drop the packet considering it
> > as not from the same sender that i have send to
> ....
> > That is way CISCO recommecdeds that when making
> access-list on both side
> > make sure that they are identical so both side
> could send protected data.
> >
> > -Mamoor
> >
> >
> > ----- Original Message -----
> > From: Lab Candidate <labccie@yahoo.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Tuesday, March 05, 2002 9:58 AM
> > Subject: IPSec question
> >
> >
> > > IPSec inbound traffic is processed against the
> crypto map entries, if an
> > unprotected packet
> > > matches a permit entry in a particular access
> list associated with an
> > IPSec crypto map entry, that
> > > packet is dropped.
> > > But on a second thought, the ACL is defined for
> outgoing traffic only,
> > checking inbound traffic
> > > against it is backwards. My question is does the
> IOS software reverse
> the
> > ACL order while checking
> > > on incoming traffic like it was going outbound?
> I don't believe that you
> > need to define separate
> > > lines in ACL for incoming traffic, only the
> lines pertaining to outbound
> > traffic are used for
> > > checkup. Please confirm my understanding. TIA...
> > >
> > > ---
> > >
> > >
> > >
> > >
> > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:54 GMT-3