From: Joseph Brunner (joe@affirmedsystems.com)
Date: Wed Aug 27 2008 - 01:04:03 ART
You don't need the complexity of VRF to do this...
You can create multiple gre/ipsec tunnels nat between the branch offices and
the hub (and thereby each other)
The nat can actually be done at the spoke site. This way the hub will only
be presented with the "after nat" or inside global addresses for the branch
offices... ugly but it works...
The only interesting traffic on the vpn tunnels is the GRE traffic which is
sourced from public ip address (ipsec source) to public ip address (ipsec
destination). You will not need to play around with adding private ip (which
are being natted to ipsec acl's)
Of course you will need plenty of modified dns records internally for AD (if
you use Microsoft), etc. to make sure replication works and other internal
hosts see the "after nat" address.
-Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Muhammad Ahmed
Sent: Tuesday, August 26, 2008 11:53 PM
To: ccielab@groupstudy.com
Subject: IPSEC VPN Overlapping subnets with VRF-lite
Good evening all,
I am trying to come up with a solution so that multiple overlapping subnets
can create IPSEC tunnel on a single hub router (central site) interface.
Google returns some references of using VRF-Lite and IPSEC but I cannot find
any detailed explanation or configuration example listed anywhere.
If someone knows how it can be done, please let me know.
Best regards,
Muhammad
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:32 ART