Thanks Piort,
Right, this comes to where my little mix up is at. Now, GETVPN is a not
exactly our native L2L VPN, is it?
In other words, we use a crypto map to configure GDOI on the GM. This kinda
makes the local router prone to not able to run transport mode, doesnt it?
See my point?
On Mon, May 31, 2010 at 10:21 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
> Hi Sadiq,
>
>
> 1. LAN to LAN IPSec VPN using crypto-ACL: no matter what mode is
> configured, Tunnel Mode will be used. If you use GRE tunnels (DMVPN or
> GREoverIPSec), you can use Tunnel or Transport mode. Transport mode would
> save 20 bytes and is recommended for DMVPN as it works better with NAT.
>
> 2. GETVPN should be configured using Tunnel Mode to take advantage of
> header authentication. ESP does not authenticate outer IP Header in
> transport mode.
>
> HTH,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security)
> Technical Instructor
> website: www.MicronicsTraining.com
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough� -
> Albert Einstein
>
>
> 2010/5/31 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>
>> Right, I may be on too much coffee these days but something just stumbled
>> on
>> to me:
>>
>> Generally speaking, when a transform set is confirgured for transport mode
>> (esp, ah, does not matter, or does it?), the crypto map local address
>> should
>> not have any effect. This is so because the packets source/dest is
>> actually
>> mainted on the "transported" packets right?
>>
>> One more quick question, is GETVPN implicitly always in transport mode?
>> What
>> if I dont configure the transform set on the KS to be transport mode?
>>
>> Long answer I know is to lab this up, which I will anyway. But just though
>> I
>> should put it out to the gurus!
>>
>> As usual, thanks.
>>
>> Sadiq
>>
>> --
>> CCIE #19963
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
--
CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Mon May 31 2010 - 23:09:17 ART