Hi Sadiq,
1. LAN to LAN IPSec VPN using crypto-ACL: no matter what mode is configured,
Tunnel Mode will be used. If you use GRE tunnels (DMVPN or GREoverIPSec),
you can use Tunnel or Transport mode. Transport mode would save 20 bytes and
is recommended for DMVPN as it works better with NAT.
2. GETVPN should be configured using Tunnel Mode to take advantage of header
authentication. ESP does not authenticate outer IP Header in transport mode.
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2010/5/31 Sadiq Yakasai <sadiqtanko_at_gmail.com>
> Right, I may be on too much coffee these days but something just stumbled
> on
> to me:
>
> Generally speaking, when a transform set is confirgured for transport mode
> (esp, ah, does not matter, or does it?), the crypto map local address
> should
> not have any effect. This is so because the packets source/dest is actually
> mainted on the "transported" packets right?
>
> One more quick question, is GETVPN implicitly always in transport mode?
> What
> if I dont configure the transform set on the KS to be transport mode?
>
> Long answer I know is to lab this up, which I will anyway. But just though
> I
> should put it out to the gurus!
>
> As usual, thanks.
>
> Sadiq
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon May 31 2010 - 23:21:02 ART