Swap,
I see what you mean. Yeah, your point is actually right. However, its not
actually the point of confusion here, as the focus is mainly on the "phase
3" if you will. ie when my traffic is actually getting passed over the
negotiated tunnel (encrypted).
Thanks,
Sadiq
On Tue, Jun 1, 2010 at 9:31 AM, swap m <ccie19804_at_gmail.com> wrote:
> Sadiq,
>
> Also you need to keep in mind crypto map local address's dependency on
> Phase1 exchange. Phase1 will pick the local addr as defined in crypto
> map, be it transport or tunnel, so it does make a difference for
> transport mode.
>
> Swap
> #19804
>
> On Tue, Jun 1, 2010 at 12:20 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
> > You can configure an use either Tunnel or Transport mode in GETVPN. The
> > technology allows you to do that. It has nothing to do with crypto map. I
> > see your point here; it is true for "regular" crypto map but not for
> GETVPN.
> > In "regular" crypto map there will be Tunnel mode used no matter how you
> > configure it under the transform-set. However, here we can do both, if
> you
> > set mode to Transport, it will be used. The main reason for Tunnel mode
> is
> > to take advantage of IP Header authentication.
> >
> > --
> > Piotr Matusiak
> > CCIE #19860 (R&S, Security)
> > Technical Instructor
> > website: www.MicronicsTraining.com
> > blog: www.ccie1.com
> >
> > If you can't explain it simply, you don't understand it well enough -
> > Albert Einstein
> >
> >
> > 2010/6/1 Sadiq Yakasai <sadiqtanko_at_gmail.com>
> >
> >> Thanks Piort,
> >>
> >> Right, this comes to where my little mix up is at. Now, GETVPN is a not
> >> exactly our native L2L VPN, is it?
> >>
> >> In other words, we use a crypto map to configure GDOI on the GM. This
> kinda
> >> makes the local router prone to not able to run transport mode, doesnt
> it?
> >>
> >> See my point?
> >>
> >>
> >>
> >>
> >> On Mon, May 31, 2010 at 10:21 PM, Piotr Matusiak <pitt2k_at_gmail.com>
> wrote:
> >>
> >>> Hi Sadiq,
> >>>
> >>>
> >>> 1. LAN to LAN IPSec VPN using crypto-ACL: no matter what mode is
> >>> configured, Tunnel Mode will be used. If you use GRE tunnels (DMVPN or
> >>> GREoverIPSec), you can use Tunnel or Transport mode. Transport mode
> would
> >>> save 20 bytes and is recommended for DMVPN as it works better with NAT.
> >>>
> >>> 2. GETVPN should be configured using Tunnel Mode to take advantage of
> >>> header authentication. ESP does not authenticate outer IP Header in
> >>> transport mode.
> >>>
> >>> HTH,
> >>> --
> >>> Piotr Matusiak
> >>> CCIE #19860 (R&S, Security)
> >>> Technical Instructor
> >>> website: www.MicronicsTraining.com
> >>> blog: www.ccie1.com
> >>>
> >>> If you can't explain it simply, you don't understand it well enough -
> >>> Albert Einstein
> >>>
> >>>
> >>> 2010/5/31 Sadiq Yakasai <sadiqtanko_at_gmail.com>
> >>>
> >>>> Right, I may be on too much coffee these days but something just
> >>>> stumbled on
> >>>> to me:
> >>>>
> >>>> Generally speaking, when a transform set is confirgured for transport
> >>>> mode
> >>>> (esp, ah, does not matter, or does it?), the crypto map local address
> >>>> should
> >>>> not have any effect. This is so because the packets source/dest is
> >>>> actually
> >>>> mainted on the "transported" packets right?
> >>>>
> >>>> One more quick question, is GETVPN implicitly always in transport
> mode?
> >>>> What
> >>>> if I dont configure the transform set on the KS to be transport mode?
> >>>>
> >>>> Long answer I know is to lab this up, which I will anyway. But just
> >>>> though I
> >>>> should put it out to the gurus!
> >>>>
> >>>> As usual, thanks.
> >>>>
> >>>> Sadiq
> >>>>
> >>>> --
> >>>> CCIE #19963
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>
> >>
> >> --
> >> CCIE #19963
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
-- CCIE #19963 Blogs and organic groups at http://www.ccie.netReceived on Tue Jun 01 2010 - 10:38:04 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:36 ART