RE: (IPSec alternatives)

From: R&S Groupstudy (R&SG@synergy-networking.co.uk)
Date: Thu Jun 12 2003 - 06:50:02 GMT-3

• Next message: SHARMA,MOHIT (HP-Germany,ex1): "RE: OSPF partitioning issue"
• Previous message: R&S Groupstudy: "RE: (IPSec alternatives)"
• Maybe in reply to: McCallum, Robert: "RE: (IPSec alternatives)"
• Next in thread: Peter van Oene: "RE: (IPSec alternatives)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

too many questions let me explain!

1st of all, there's not a specific problem, I am starting to think about the
security cert and was to bring my knowledge up on VPN's.

I've been looking at CCO, specifically the FW features of the IOS, and
encryption.

I've looked through the tech notes and can see examples of:
1. configuring routers to encrypt based on source interface/address.
2. configuring routers to encrypt based on connected sites via GRE tunnels.

so there's the 1st comparision, I guess the 1st thing to note is that the
GRE solution works much better if you want to keep your routing simple and
you use private addressing.

3. configuring routers to terminate L2TP / PPTP tunnels from hosts, and then
encrypt the tunnel. this uses cisco vpdn technology

4. configuring routes to form multiple L2TP tunnels (end encrypt) between
multiple sites. here the routers are configured to "dial" out between sites
to form the vpn's

My question was, what do people think the pros and cons are of using each
method, and for example have they seen any stability issues.
What is the current best practice for forming a triange of VPN's between
three different sites (IOSFW) GRE, or VPDN.
I am sure there is a big "it depends" factor involved, but is there for
example a performance hit by encapsulating GRE . I'm assuning that the IOS
routes would have hardware encryption support....
.
By the way thanks for filling in the Subject title of this thread.

Adam

> ----------
> From: Howard C. Berkowitz
> Reply To: Howard C. Berkowitz
> Sent: Wednesday, June 11, 2003 11:05 PM
> To: 'ccielab@groupstudy.com'
> Subject: Re: (IPSec alternatives)
>
> At 8:57 PM +0100 6/11/03, R&S Groupstudy wrote:
> >Hi,
> >
> >Please can I hear peoples views on the following:
> >
> >I want to connect three sites together via the internet. (I just made
> this
> >up)
>
> Before going farther, you need to a bit more defining of the problem
> you want to solve, as well as the technology. I think of VPDN as
> virtual private dial network, so where is the dialing if you are
> running over the Internet? To the ISP?
>
> Are there other kinds of data not requiring security that need to go
> over the same tunnels, which would be a reason for GRE?
>
> Where is the IPSec encryption taking place? Hosts? Your gateways? ISP
> gateways?
>
> >
> >I have FW IOS feature set routers .
> >
> >what are the pros and cons of implementing
> >
> >1. native IPSEC
> >2. IPSEC over GRE tunnels
> >3. IPsec using VPDN peering beyween routers.
> >
> >cheers
> >
> >Adam

• Next message: SHARMA,MOHIT (HP-Germany,ex1): "RE: OSPF partitioning issue"
• Previous message: R&S Groupstudy: "RE: (IPSec alternatives)"
• Maybe in reply to: McCallum, Robert: "RE: (IPSec alternatives)"
• Next in thread: Peter van Oene: "RE: (IPSec alternatives)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:57 GMT-3