Right, I see. Makes more sense now actually.
BTW, your last sentence below, did you mean "ip header preservation" and not
"ip header authentication"?
Thanks again.
Sadiq
On Tue, Jun 1, 2010 at 9:20 AM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
> You can configure an use either Tunnel or Transport mode in GETVPN. The
> technology allows you to do that. It has nothing to do with crypto map. I
> see your point here; it is true for "regular" crypto map but not for
GETVPN.
> In "regular" crypto map there will be Tunnel mode used no matter how you
> configure it under the transform-set. However, here we can do both, if you
> set mode to Transport, it will be used. The main reason for Tunnel mode is
> to take advantage of IP Header authentication.
>
>
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security)
> Technical Instructor
> website: www.MicronicsTraining.com
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough� -
> Albert Einstein
>
>
> 2010/6/1 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>
> Thanks Piort,
>>
>> Right, this comes to where my little mix up is at. Now, GETVPN is a not
>> exactly our native L2L VPN, is it?
>>
>> In other words, we use a crypto map to configure GDOI on the GM. This
>> kinda makes the local router prone to not able to run transport mode,
doesnt
>> it?
>>
>> See my point?
>>
>>
>>
>>
>> On Mon, May 31, 2010 at 10:21 PM, Piotr Matusiak <pitt2k_at_gmail.com>wrote:
>>
>>> Hi Sadiq,
>>>
>>>
>>> 1. LAN to LAN IPSec VPN using crypto-ACL: no matter what mode is
>>> configured, Tunnel Mode will be used. If you use GRE tunnels (DMVPN or
>>> GREoverIPSec), you can use Tunnel or Transport mode. Transport mode would
>>> save 20 bytes and is recommended for DMVPN as it works better with NAT.
>>>
>>> 2. GETVPN should be configured using Tunnel Mode to take advantage of
>>> header authentication. ESP does not authenticate outer IP Header in
>>> transport mode.
>>>
>>> HTH,
>>> --
>>> Piotr Matusiak
>>> CCIE #19860 (R&S, Security)
>>> Technical Instructor
>>> website: www.MicronicsTraining.com
>>> blog: www.ccie1.com
>>>
>>> �If you can't explain it simply, you don't understand it well enough� -
>>> Albert Einstein
>>>
>>>
>>> 2010/5/31 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>>
>>>> Right, I may be on too much coffee these days but something just
>>>> stumbled on
>>>> to me:
>>>>
>>>> Generally speaking, when a transform set is confirgured for transport
>>>> mode
>>>> (esp, ah, does not matter, or does it?), the crypto map local address
>>>> should
>>>> not have any effect. This is so because the packets source/dest is
>>>> actually
>>>> mainted on the "transported" packets right?
>>>>
>>>> One more quick question, is GETVPN implicitly always in transport mode?
>>>> What
>>>> if I dont configure the transform set on the KS to be transport mode?
>>>>
>>>> Long answer I know is to lab this up, which I will anyway. But just
>>>> though I
>>>> should put it out to the gurus!
>>>>
>>>> As usual, thanks.
>>>>
>>>> Sadiq
>>>>
>>>> --
>>>> CCIE #19963
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>> CCIE #19963
>>
>
>
--
CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Tue Jun 01 2010 - 10:36:00 ART