I meant what I wrote :) If you want to authenticate the IP header (GRE IP
Header in this case) you'll need to use ESP in tunnel mode.
Cheers,
--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2010/6/1 Sadiq Yakasai <sadiqtanko_at_gmail.com>
> Right, I see. Makes more sense now actually.
>
> BTW, your last sentence below, did you mean "ip header preservation" and
> not "ip header authentication"?
>
> Thanks again.
>
> Sadiq
>
>
> On Tue, Jun 1, 2010 at 9:20 AM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>
>> You can configure an use either Tunnel or Transport mode in GETVPN. The
>> technology allows you to do that. It has nothing to do with crypto map. I
>> see your point here; it is true for "regular" crypto map but not for
GETVPN.
>> In "regular" crypto map there will be Tunnel mode used no matter how you
>> configure it under the transform-set. However, here we can do both, if you
>> set mode to Transport, it will be used. The main reason for Tunnel mode is
>> to take advantage of IP Header authentication.
>>
>>
>> --
>> Piotr Matusiak
>> CCIE #19860 (R&S, Security)
>> Technical Instructor
>> website: www.MicronicsTraining.com
>> blog: www.ccie1.com
>>
>> �If you can't explain it simply, you don't understand it well enough� -
>> Albert Einstein
>>
>>
>> 2010/6/1 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>
>> Thanks Piort,
>>>
>>> Right, this comes to where my little mix up is at. Now, GETVPN is a not
>>> exactly our native L2L VPN, is it?
>>>
>>> In other words, we use a crypto map to configure GDOI on the GM. This
>>> kinda makes the local router prone to not able to run transport mode,
doesnt
>>> it?
>>>
>>> See my point?
>>>
>>>
>>>
>>>
>>> On Mon, May 31, 2010 at 10:21 PM, Piotr Matusiak <pitt2k_at_gmail.com>wrote:
>>>
>>>> Hi Sadiq,
>>>>
>>>>
>>>> 1. LAN to LAN IPSec VPN using crypto-ACL: no matter what mode is
>>>> configured, Tunnel Mode will be used. If you use GRE tunnels (DMVPN or
>>>> GREoverIPSec), you can use Tunnel or Transport mode. Transport mode
would
>>>> save 20 bytes and is recommended for DMVPN as it works better with NAT.
>>>>
>>>> 2. GETVPN should be configured using Tunnel Mode to take advantage of
>>>> header authentication. ESP does not authenticate outer IP Header in
>>>> transport mode.
>>>>
>>>> HTH,
>>>> --
>>>> Piotr Matusiak
>>>> CCIE #19860 (R&S, Security)
>>>> Technical Instructor
>>>> website: www.MicronicsTraining.com
>>>> blog: www.ccie1.com
>>>>
>>>> �If you can't explain it simply, you don't understand it well enough� -
>>>> Albert Einstein
>>>>
>>>>
>>>> 2010/5/31 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>>>
>>>>> Right, I may be on too much coffee these days but something just
>>>>> stumbled on
>>>>> to me:
>>>>>
>>>>> Generally speaking, when a transform set is confirgured for transport
>>>>> mode
>>>>> (esp, ah, does not matter, or does it?), the crypto map local address
>>>>> should
>>>>> not have any effect. This is so because the packets source/dest is
>>>>> actually
>>>>> mainted on the "transported" packets right?
>>>>>
>>>>> One more quick question, is GETVPN implicitly always in transport mode?
>>>>> What
>>>>> if I dont configure the transform set on the KS to be transport mode?
>>>>>
>>>>> Long answer I know is to lab this up, which I will anyway. But just
>>>>> though I
>>>>> should put it out to the gurus!
>>>>>
>>>>> As usual, thanks.
>>>>>
>>>>> Sadiq
>>>>>
>>>>> --
>>>>> CCIE #19963
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> CCIE #19963
>>>
>>
>>
>
>
> --
> CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Tue Jun 01 2010 - 11:51:34 ART