Sadiq,
Also you need to keep in mind crypto map local address's dependency on
Phase1 exchange. Phase1 will pick the local addr as defined in crypto
map, be it transport or tunnel, so it does make a difference for
transport mode.
Swap
#19804
On Tue, Jun 1, 2010 at 12:20 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
> You can configure an use either Tunnel or Transport mode in GETVPN. The
> technology allows you to do that. It has nothing to do with crypto map. I
> see your point here; it is true for "regular" crypto map but not for GETVPN.
> In "regular" crypto map there will be Tunnel mode used no matter how you
> configure it under the transform-set. However, here we can do both, if you
> set mode to Transport, it will be used. The main reason for Tunnel mode is
> to take advantage of IP Header authentication.
>
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security)
> Technical Instructor
> website: www.MicronicsTraining.com
> blog: www.ccie1.com
>
> If you can't explain it simply, you don't understand it well enough -
> Albert Einstein
>
>
> 2010/6/1 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>
>> Thanks Piort,
>>
>> Right, this comes to where my little mix up is at. Now, GETVPN is a not
>> exactly our native L2L VPN, is it?
>>
>> In other words, we use a crypto map to configure GDOI on the GM. This kinda
>> makes the local router prone to not able to run transport mode, doesnt it?
>>
>> See my point?
>>
>>
>>
>>
>> On Mon, May 31, 2010 at 10:21 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>>
>>> Hi Sadiq,
>>>
>>>
>>> 1. LAN to LAN IPSec VPN using crypto-ACL: no matter what mode is
>>> configured, Tunnel Mode will be used. If you use GRE tunnels (DMVPN or
>>> GREoverIPSec), you can use Tunnel or Transport mode. Transport mode would
>>> save 20 bytes and is recommended for DMVPN as it works better with NAT.
>>>
>>> 2. GETVPN should be configured using Tunnel Mode to take advantage of
>>> header authentication. ESP does not authenticate outer IP Header in
>>> transport mode.
>>>
>>> HTH,
>>> --
>>> Piotr Matusiak
>>> CCIE #19860 (R&S, Security)
>>> Technical Instructor
>>> website: www.MicronicsTraining.com
>>> blog: www.ccie1.com
>>>
>>> If you can't explain it simply, you don't understand it well enough -
>>> Albert Einstein
>>>
>>>
>>> 2010/5/31 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>>
>>>> Right, I may be on too much coffee these days but something just
>>>> stumbled on
>>>> to me:
>>>>
>>>> Generally speaking, when a transform set is confirgured for transport
>>>> mode
>>>> (esp, ah, does not matter, or does it?), the crypto map local address
>>>> should
>>>> not have any effect. This is so because the packets source/dest is
>>>> actually
>>>> mainted on the "transported" packets right?
>>>>
>>>> One more quick question, is GETVPN implicitly always in transport mode?
>>>> What
>>>> if I dont configure the transform set on the KS to be transport mode?
>>>>
>>>> Long answer I know is to lab this up, which I will anyway. But just
>>>> though I
>>>> should put it out to the gurus!
>>>>
>>>> As usual, thanks.
>>>>
>>>> Sadiq
>>>>
>>>> --
>>>> CCIE #19963
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Jun 01 2010 - 12:31:08 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:36 ART