From: Muhammad Ahmed (faisal3541@hotmail.com)
Date: Wed Aug 27 2008 - 13:27:16 ART
Petr Lapukhov from Internetworkexpert.com wrote a very interesting and good
blog on EzVPN and VRF-Lite but in his write-up he is using EzVPN client mode
which essentially takes care of the remote overlapping subnets anyway. As I
have no knowledge of VRF(s) I must be missing something as I know Petr is an
expert just by reading his postings in the IE Blog.
http://blog.internetworkexpert.com/2008/06/15/easy-vpn-combined-with-vrf-lite
-2/#more-127
Essentially I am trying to "do the Brains from IE", though I am beginning to
realize it might be impossible to "do the Brian Dennis or Brian McGahan from
IE". This should be a new phrase in the english dictionary. I attended his
12-Day R&S bootcamp and was impressed to find out some of the ways individual
technologies can be combined and used to devise a solution even though the
architects of the technologies did not intend to use it for that purpose.
Yes I am brown nosing and hoping one of the Brains would be amused enough and
reply to this post with some thoughts about solving overlapping subnets issue
on IPSEC tunnels without NAT.
Best regards,
Muhammad
> Subject: RE: IPSEC VPN Overlapping subnets with VRF-lite> Date: Wed, 27 Aug
2008 15:07:57 +0200> From: Shaughn.Smith@za.verizonbusiness.com> To:
faisal3541@hotmail.com; joe@affirmedsystems.com; ccielab@groupstudy.com> >
First of all VRF lite will not work without this > > MPLS backbone or MPLS
VPN(s) shall not be used. > > You options are limited then to IPSEC tunnels.
Not sure how you are> going to get around the duplicate subnet issues > >
-----Original Message-----> From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf Of> Muhammad Ahmed> Sent: Wednesday,
August 27, 2008 3:01 PM> To: Joseph Brunner; ccielab@groupstudy.com> Subject:
RE: IPSEC VPN Overlapping subnets with VRF-lite> > Thanks Joe. I forgot to
mention the restriction is not to use NAT at> either> Hub or Spokes. That's
why I am hoping to find a solution using VRF-Lite.> As I> do not understand
VRF(s) at all, I do not know if VRF-Lite can solve the> issue.> > I am not
looking for a solution on a plate, I wish, only a validation of> a>
possibility using VRF-Lite. If the experts on this list say yes, it can> be>
done and hopefully point to some links, I would take it to the LAB, test> it>
and validate the POC.> > The requirements are as follows:> NAT cannot be
configured on the Hub or the Spokes.> MPLS backbone or MPLS VPN(s) shall not
be used.> GRE Tunnels cannot be used.> All IPSEC VPN(s) terminate on a single
interface on a Cisco router.> Multiple logical interfaces on this router
provide connectivity to> multiple> unique internal subnet(s)/VLAN(s).>
Multiple remote overlapping subnet(s) shall be reachable from the unique>
internal subnet(s) over the encrypted tunnel(s).> > Any help would be greatly
appreciated.> > Best Regards,> Muhammad> > > > > > Date: Wed, 27 Aug 2008
00:04:03 -0400> From: joe@affirmedsystems.com>> Subject: RE: IPSEC VPN
Overlapping subnets with VRF-lite> To:> faisal3541@hotmail.com;
ccielab@groupstudy.com> > You don't need the> complexity of VRF to do this...>
> You can create multiple gre/ipsec> tunnels> nat between the branch offices
and> the hub (and thereby each other)> >> The> nat can actually be done at the
spoke site. This way the hub will only>> be> presented with the "after nat" or
inside global addresses for the> branch>> offices... ugly but it works...> >
The only interesting traffic on the> vpn> tunnels is the GRE traffic which is>
sourced from public ip address> (ipsec> source) to public ip address (ipsec>
destination). You will not need to> play> around with adding private ip
(which> are being natted to ipsec acl's)>> > Of> course you will need plenty
of modified dns records internally for AD> (if> you> use Microsoft), etc. to
make sure replication works and other internal>> hosts> see the "after nat"
address.> > -Joe> > > > -----Original Message----->> From:>
nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of>> Muhammad>
Ahmed> Sent: Tuesday, August 26, 2008 11:53 PM> To:> ccielab@groupstudy.com>>
Subject: IPSEC VPN Overlapping subnets with VRF-lite> > Good evening> all,> >
I> am trying to come up with a solution so that multiple overlapping> subnets>
can> create IPSEC tunnel on a single hub router (central site) interface.>>
Google> returns some references of using VRF-Lite and IPSEC but I cannot
find>> any> detailed explanation or configuration example listed anywhere.> >
If> someone> knows how it can be done, please let me know.> > Best regards,>>
Muhammad> > >>
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:32 ART