You can configure an use either Tunnel or Transport mode in GETVPN. The
technology allows you to do that. It has nothing to do with crypto map. I
see your point here; it is true for "regular" crypto map but not for GETVPN.
In "regular" crypto map there will be Tunnel mode used no matter how you
configure it under the transform-set. However, here we can do both, if you
set mode to Transport, it will be used. The main reason for Tunnel mode is
to take advantage of IP Header authentication.
--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2010/6/1 Sadiq Yakasai <sadiqtanko_at_gmail.com>
> Thanks Piort,
>
> Right, this comes to where my little mix up is at. Now, GETVPN is a not
> exactly our native L2L VPN, is it?
>
> In other words, we use a crypto map to configure GDOI on the GM. This kinda
> makes the local router prone to not able to run transport mode, doesnt it?
>
> See my point?
>
>
>
>
> On Mon, May 31, 2010 at 10:21 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>
>> Hi Sadiq,
>>
>>
>> 1. LAN to LAN IPSec VPN using crypto-ACL: no matter what mode is
>> configured, Tunnel Mode will be used. If you use GRE tunnels (DMVPN or
>> GREoverIPSec), you can use Tunnel or Transport mode. Transport mode would
>> save 20 bytes and is recommended for DMVPN as it works better with NAT.
>>
>> 2. GETVPN should be configured using Tunnel Mode to take advantage of
>> header authentication. ESP does not authenticate outer IP Header in
>> transport mode.
>>
>> HTH,
>> --
>> Piotr Matusiak
>> CCIE #19860 (R&S, Security)
>> Technical Instructor
>> website: www.MicronicsTraining.com
>> blog: www.ccie1.com
>>
>> �If you can't explain it simply, you don't understand it well enough� -
>> Albert Einstein
>>
>>
>> 2010/5/31 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>
>>> Right, I may be on too much coffee these days but something just
>>> stumbled on
>>> to me:
>>>
>>> Generally speaking, when a transform set is confirgured for transport
>>> mode
>>> (esp, ah, does not matter, or does it?), the crypto map local address
>>> should
>>> not have any effect. This is so because the packets source/dest is
>>> actually
>>> mainted on the "transported" packets right?
>>>
>>> One more quick question, is GETVPN implicitly always in transport mode?
>>> What
>>> if I dont configure the transform set on the KS to be transport mode?
>>>
>>> Long answer I know is to lab this up, which I will anyway. But just
>>> though I
>>> should put it out to the gurus!
>>>
>>> As usual, thanks.
>>>
>>> Sadiq
>>>
>>> --
>>> CCIE #19963
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
>
> --
> CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Tue Jun 01 2010 - 10:20:27 ART