Gotch u!
Besides, we cant do IP header preservation in Tunnel mode anyway ;-)
Thanks dude!
Sadiq
On Tue, Jun 1, 2010 at 10:51 AM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
> I meant what I wrote :) If you want to authenticate the IP header (GRE IP
> Header in this case) you'll need to use ESP in tunnel mode.
>
> Cheers,
>
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security)
> Technical Instructor
> website: www.MicronicsTraining.com
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough� -
> Albert Einstein
>
>
> 2010/6/1 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>
>> Right, I see. Makes more sense now actually.
>>
>> BTW, your last sentence below, did you mean "ip header preservation" and
>> not "ip header authentication"?
>>
>> Thanks again.
>>
>> Sadiq
>>
>>
>> On Tue, Jun 1, 2010 at 9:20 AM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>>
>>> You can configure an use either Tunnel or Transport mode in GETVPN. The
>>> technology allows you to do that. It has nothing to do with crypto map. I
>>> see your point here; it is true for "regular" crypto map but not for
GETVPN.
>>> In "regular" crypto map there will be Tunnel mode used no matter how you
>>> configure it under the transform-set. However, here we can do both, if
you
>>> set mode to Transport, it will be used. The main reason for Tunnel mode
is
>>> to take advantage of IP Header authentication.
>>>
>>>
>>> --
>>> Piotr Matusiak
>>> CCIE #19860 (R&S, Security)
>>> Technical Instructor
>>> website: www.MicronicsTraining.com
>>> blog: www.ccie1.com
>>>
>>> �If you can't explain it simply, you don't understand it well enough� -
>>> Albert Einstein
>>>
>>>
>>> 2010/6/1 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>>
>>> Thanks Piort,
>>>>
>>>> Right, this comes to where my little mix up is at. Now, GETVPN is a not
>>>> exactly our native L2L VPN, is it?
>>>>
>>>> In other words, we use a crypto map to configure GDOI on the GM. This
>>>> kinda makes the local router prone to not able to run transport mode,
doesnt
>>>> it?
>>>>
>>>> See my point?
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, May 31, 2010 at 10:21 PM, Piotr Matusiak
<pitt2k_at_gmail.com>wrote:
>>>>
>>>>> Hi Sadiq,
>>>>>
>>>>>
>>>>> 1. LAN to LAN IPSec VPN using crypto-ACL: no matter what mode is
>>>>> configured, Tunnel Mode will be used. If you use GRE tunnels (DMVPN or
>>>>> GREoverIPSec), you can use Tunnel or Transport mode. Transport mode
would
>>>>> save 20 bytes and is recommended for DMVPN as it works better with NAT.
>>>>>
>>>>> 2. GETVPN should be configured using Tunnel Mode to take advantage of
>>>>> header authentication. ESP does not authenticate outer IP Header in
>>>>> transport mode.
>>>>>
>>>>> HTH,
>>>>> --
>>>>> Piotr Matusiak
>>>>> CCIE #19860 (R&S, Security)
>>>>> Technical Instructor
>>>>> website: www.MicronicsTraining.com
>>>>> blog: www.ccie1.com
>>>>>
>>>>> �If you can't explain it simply, you don't understand it well enough� -
>>>>> Albert Einstein
>>>>>
>>>>>
>>>>> 2010/5/31 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>>>>
>>>>>> Right, I may be on too much coffee these days but something just
>>>>>> stumbled on
>>>>>> to me:
>>>>>>
>>>>>> Generally speaking, when a transform set is confirgured for transport
>>>>>> mode
>>>>>> (esp, ah, does not matter, or does it?), the crypto map local address
>>>>>> should
>>>>>> not have any effect. This is so because the packets source/dest is
>>>>>> actually
>>>>>> mainted on the "transported" packets right?
>>>>>>
>>>>>> One more quick question, is GETVPN implicitly always in transport
>>>>>> mode? What
>>>>>> if I dont configure the transform set on the KS to be transport mode?
>>>>>>
>>>>>> Long answer I know is to lab this up, which I will anyway. But just
>>>>>> though I
>>>>>> should put it out to the gurus!
>>>>>>
>>>>>> As usual, thanks.
>>>>>>
>>>>>> Sadiq
>>>>>>
>>>>>> --
>>>>>> CCIE #19963
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>>
>>>>>>
Received on Tue Jun 01 2010 - 11:07:31 ART