RE: IPSEC VPN Overlapping subnets with VRF-lite

From: Muhammad Ahmed (faisal3541@hotmail.com)
Date: Wed Aug 27 2008 - 10:01:17 ART

• Next message: Moses Polalysa: "God's precious gift -> CCIE #21883"
• Previous message: Bogdan Sass: "Re: IEWB - Lab6 Task3.8 (IGP Redistribution)"
• Maybe in reply to: Muhammad Ahmed: "IPSEC VPN Overlapping subnets with VRF-lite"
• Next in thread: Shaughn Smith: "RE: IPSEC VPN Overlapping subnets with VRF-lite"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Joe. I forgot to mention the restriction is not to use NAT at either
Hub or Spokes. That's why I am hoping to find a solution using VRF-Lite. As I
do not understand VRF(s) at all, I do not know if VRF-Lite can solve the
issue.

I am not looking for a solution on a plate, I wish, only a validation of a
possibility using VRF-Lite. If the experts on this list say yes, it can be
done and hopefully point to some links, I would take it to the LAB, test it
and validate the POC.

The requirements are as follows:
NAT cannot be configured on the Hub or the Spokes.
MPLS backbone or MPLS VPN(s) shall not be used.
GRE Tunnels cannot be used.
All IPSEC VPN(s) terminate on a single interface on a Cisco router.
Multiple logical interfaces on this router provide connectivity to multiple
unique internal subnet(s)/VLAN(s).
Multiple remote overlapping subnet(s) shall be reachable from the unique
internal subnet(s) over the encrypted tunnel(s).

Any help would be greatly appreciated.

Best Regards,
Muhammad

> Date: Wed, 27 Aug 2008 00:04:03 -0400> From: joe@affirmedsystems.com>
Subject: RE: IPSEC VPN Overlapping subnets with VRF-lite> To:
faisal3541@hotmail.com; ccielab@groupstudy.com> > You don't need the
complexity of VRF to do this...> > You can create multiple gre/ipsec tunnels
nat between the branch offices and> the hub (and thereby each other)> > The
nat can actually be done at the spoke site. This way the hub will only> be
presented with the "after nat" or inside global addresses for the branch>
offices... ugly but it works...> > The only interesting traffic on the vpn
tunnels is the GRE traffic which is> sourced from public ip address (ipsec
source) to public ip address (ipsec> destination). You will not need to play
around with adding private ip (which> are being natted to ipsec acl's)> > Of
course you will need plenty of modified dns records internally for AD (if> you
use Microsoft), etc. to make sure replication works and other internal> hosts
see the "after nat" address.> > -Joe> > > > -----Original Message-----> From:
nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of> Muhammad
Ahmed> Sent: Tuesday, August 26, 2008 11:53 PM> To: ccielab@groupstudy.com>
Subject: IPSEC VPN Overlapping subnets with VRF-lite> > Good evening all,> > I
am trying to come up with a solution so that multiple overlapping subnets> can
create IPSEC tunnel on a single hub router (central site) interface.> Google
returns some references of using VRF-Lite and IPSEC but I cannot find> any
detailed explanation or configuration example listed anywhere.> > If someone
knows how it can be done, please let me know.> > Best regards,> Muhammad> > >

• Next message: Moses Polalysa: "God's precious gift -> CCIE #21883"
• Previous message: Bogdan Sass: "Re: IEWB - Lab6 Task3.8 (IGP Redistribution)"
• Maybe in reply to: Muhammad Ahmed: "IPSEC VPN Overlapping subnets with VRF-lite"
• Next in thread: Shaughn Smith: "RE: IPSEC VPN Overlapping subnets with VRF-lite"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:32 ART