From: Shaughn Smith (Shaughn.Smith@za.verizonbusiness.com)
Date: Wed Aug 27 2008 - 10:07:57 ART
First of all VRF lite will not work without this
MPLS backbone or MPLS VPN(s) shall not be used.
You options are limited then to IPSEC tunnels. Not sure how you are
going to get around the duplicate subnet issues
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Muhammad Ahmed
Sent: Wednesday, August 27, 2008 3:01 PM
To: Joseph Brunner; ccielab@groupstudy.com
Subject: RE: IPSEC VPN Overlapping subnets with VRF-lite
Thanks Joe. I forgot to mention the restriction is not to use NAT at
either
Hub or Spokes. That's why I am hoping to find a solution using VRF-Lite.
As I
do not understand VRF(s) at all, I do not know if VRF-Lite can solve the
issue.
I am not looking for a solution on a plate, I wish, only a validation of
a
possibility using VRF-Lite. If the experts on this list say yes, it can
be
done and hopefully point to some links, I would take it to the LAB, test
it
and validate the POC.
The requirements are as follows:
NAT cannot be configured on the Hub or the Spokes.
MPLS backbone or MPLS VPN(s) shall not be used.
GRE Tunnels cannot be used.
All IPSEC VPN(s) terminate on a single interface on a Cisco router.
Multiple logical interfaces on this router provide connectivity to
multiple
unique internal subnet(s)/VLAN(s).
Multiple remote overlapping subnet(s) shall be reachable from the unique
internal subnet(s) over the encrypted tunnel(s).
Any help would be greatly appreciated.
Best Regards,
Muhammad
> Date: Wed, 27 Aug 2008 00:04:03 -0400> From: joe@affirmedsystems.com>
Subject: RE: IPSEC VPN Overlapping subnets with VRF-lite> To:
faisal3541@hotmail.com; ccielab@groupstudy.com> > You don't need the
complexity of VRF to do this...> > You can create multiple gre/ipsec
tunnels
nat between the branch offices and> the hub (and thereby each other)> >
The
nat can actually be done at the spoke site. This way the hub will only>
be
presented with the "after nat" or inside global addresses for the
branch>
offices... ugly but it works...> > The only interesting traffic on the
vpn
tunnels is the GRE traffic which is> sourced from public ip address
(ipsec
source) to public ip address (ipsec> destination). You will not need to
play
around with adding private ip (which> are being natted to ipsec acl's)>
> Of
course you will need plenty of modified dns records internally for AD
(if> you
use Microsoft), etc. to make sure replication works and other internal>
hosts
see the "after nat" address.> > -Joe> > > > -----Original Message----->
From:
nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of>
Muhammad
Ahmed> Sent: Tuesday, August 26, 2008 11:53 PM> To:
ccielab@groupstudy.com>
Subject: IPSEC VPN Overlapping subnets with VRF-lite> > Good evening
all,> > I
am trying to come up with a solution so that multiple overlapping
subnets> can
create IPSEC tunnel on a single hub router (central site) interface.>
Google
returns some references of using VRF-Lite and IPSEC but I cannot find>
any
detailed explanation or configuration example listed anywhere.> > If
someone
knows how it can be done, please let me know.> > Best regards,>
Muhammad> > >
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:32 ART