Re: site to site vpn and routing protocol

It's also worth mentioning that VTI are great for vendor interoperability.
Some vendors, such as Juniper, do not support IPSEC over GRE using IPSEC
Transport mode. This results in a configuration where you are forced to use
IPSEC tunnel-mode and some other messy tricks, you also end up with an
additional 20 bytes of needless overhead.

-Yuri

On Sun, Dec 9, 2012 at 12:49 PM, Brian McGahan <bmcgahan_at_ine.com> wrote:

> If you use an IPsec Virtual Tunnel Interface (VTI) this removes the need
> for running GRE, but still allows you to run layer 3 routing protocols
> across the site to site tunnel. It's basically the same as GRE but there
> is less overhead in the encapsulation. Also the configuration is simpler
> compared to the traditional crypto map and GRE tunnel interface config:
>
>
> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12-4t/sec-ipsec-virt-tunnl.html
>
> There is also a Dynamic VTI that is the replacement for the Easy VPN
> dynamic crypto map.
>
> If you're going for CCIE Security make sure you know all the possible
> combinations of different tunnels, as this is a huge portion of the exam.
> Also there are different features that are and are not supported with the
> different types of tunnels. For example if you had a question that said
> "Configure an IPsec tunnel between R1 and R2 to encrypt only ICMP traffic"
> which types of tunnels would or would not work and why? Or likewise if the
> question said "Configure an IPsec tunnel between R1 and R2 that is part of
> the ZBPF zone INSIDE" which types of tunnels would or not work and why?
>
>
> HTH,
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Jay McMickle
> Sent: Sunday, December 09, 2012 2:26 PM
> To: Sidney D'Souza
> Cc: Adesh Chaudhary; Ovais Iqbal; <ccielab_at_groupstudy.com>
> Subject: Re: site to site vpn and routing protocol
>
> It has to do with directly connected interfaces. Put another layer 3 hop
> in between them and you'll see that it won't peer through the tunnel
> without GRE.
>
> Regards,
> Jay McMickle- CCIE #35355 (RS)
> Sent from my iPhone 5
>
> On Dec 9, 2012, at 1:45 PM, "Sidney D'Souza" <mail.sidney_at_gmail.com>
> wrote:
>
> > Just labbed it up and it does set up a neighbour ship. Strange indeed.
> >
> > Regards,
> > Sid
> > Nobody's really listening, until you make a mistake...
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> > Of Jay McMickle
> > Sent: 09 December 2012 23:05
> > To: Adesh Chaudhary
> > Cc: Ovais Iqbal; ccielab_at_groupstudy.com
> > Subject: Re: site to site vpn and routing protocol
> >
> > That is a good summary!
> >
> >
> >
> > Regards,
> > Jay McMickle- 3x CCNP
> > (R&S,Security,Design), CCIE #35355 (R&S)
> >
> >
> > From: Adesh Chaudhary
> > <er.adeshchaudhary_at_gmail.com>
> > To: Jay McMickle <jay.mcmickle_at_yahoo.com>
> > Cc:
> > Ovais Iqbal <ovais.iqball_at_yahoo.com>; "ccielab_at_groupstudy.com"
> > <ccielab_at_groupstudy.com>
> > Sent: Sunday, December 9, 2012 12:01 PM
> > Subject: Re:
> > site to site vpn and routing protocol
> >
> > As I think, IPSEC is mostly deployed
> > over Public Internet. IP Subnet is
> > generally different over both sides,
> > causing issues with Routing Protocols.
> > So GRE over IPSEC is used to address
> > this issue. I might be wrong, as I
> > havent dealt much with them.
> >
> >
> > On Sun, Dec
> > 9, 2012 at 8:26 PM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
> >
> >> Can you
> > show the output of sh IP EIGRP neigh?
> >>
> >> Can you configure the interesting
> > traffic for TCP traffic only in ACL 111?
> >> You'll notice that the EIGRP isn't
> > getting encrypted. It's peering outside
> >> of
> >> the tunnel, and this ACL change
> > will verify for you. Also, when you remove
> >> the
> >> peer keys and the tunnel
> > goes down, do you lose your EIGRP neighbor?
> >>
> >> Great question, and a hard one
> > to explain.
> >>
> >> Regards,
> >> Jay McMickle- CCIE #35355 (RS)
> >> Sent from my
> > iPhone 5
> >>
> >> On Dec 9, 2012, at 8:10 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com>
> > wrote:
> >>
> >>> I will share the topology here,
> > ----------R1(10.0.0.1)(Fasteth0/0)---------------------------------(Fa
> > steth0
> > /
> >> 0)(10.0.0.2)R2----------
> >>>
> >>> R1 and R2 are connected back to back over
> > Fas0/0. Routers are 1841
> >> running
> >> 12.4 adv security. I configured following
> > on R1 and replica to R2 (which i
> >> wont show since it will be just a
> > repetition)
> >>>
> >>> R1
> >>> crypto isakmp key 0 cisco address 10.0.0.2
> > crypto isakmp policy 1
> >>> auth pre-share
> >>> encry des
> >>> hash md5
> > group 2
> >>>
> >>> access-list 111 permit ip any any
> >>>
> >>> crypto ipsec
> > transform-set R1toR2 esp-des esp-md5-hmac
> >>> crypto map R1toR2 10
> > ipsec-isakmp
> >>> match address 111
> >>> set peer 10.0.0.2
> >>> set
> > transform-set R1toR2
> >>>
> >>> interface Fastethernet 0/0
> >>> ip address
> > 10.0.0.1 255.255.255.0
> >>> crypto map R1toR2
> >>>
> >>> router eigrp 1
> >>> no
> > auto
> >>> network 10.0.0.0 0.0.0.255
> >>>
> >>> Now eigrp successfully forms the
> > neighborship, i can see the packets
> >> being
> >> encrypted/decrypted while there
> > is no other communication then eigrp. This
> >> is
> >> surprising for me since i
> > remembered for sure that protocols didnt work
> >> over
> >> ipsec since ipsec has
> > issues with multicast packets.
> >>>
> >>> From: Jay McMickle
> > <jay.mcmickle_at_yahoo.com>
> >>> To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
> > Sent: Sunday, December 9, 2012 6:55 PM
> >>> Subject: Re: site to site vpn and
> > routing protocol
> >>>
> >>> You'll have to see how that's happening. Most likely
> > the peering is
> >> going a
> >> different direction that you think (not over the
> > tunnel). Type "show IP
> >> EIGRP
> >> neigh or OSPF neigh" and see what IP address
> > and what route it's taking to
> >> get
> >> there.
> >>>
> >>> Regards,
> >>> Jay
> > McMickle- CCIE #35355 (RS)
> >>> Sent from my iPhone 5
> >>>
> >>> On Dec 9, 2012,
> > at 7:52 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
> >>>
> >>>> No there are
> > no tunnel interfaces thats why i am surprised that why
> >> eigrp/ospf are able
> > to run over ipsec ?
> >>>>
> >>>> From: Jay McMickle <jay.mcmickle_at_yahoo.com>
> > To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
> >>>> Cc: "ccielab_at_groupstudy.com"
> > <ccielab_at_groupstudy.com>
> >>>> Sent: Sunday, December 9, 2012 6:01 PM
> > Subject: Re: site to site vpn and routing protocol
> >>>>
> >>>> All you need is a
> > L3 interface on each end for the adjacencies. That's
> >> why
> >> GRE over IPSEC
> > enables dynamic protocols.
> >>>>
> >>>> If you are peering over IPSEC, what L3
> > interfaces is it using? Is it
> >> going
> >> over the tunnel for the peering?
> >>>>
> >>>> Regards,
> >>>> Jay McMickle- CCIE #35355 (RS)
> >>>> Sent from my iPhone 5
> >>
> >>>
> >>>> On Dec 9, 2012, at 3:35 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com>
> > wrote:
> >>>>
> >>>>> Hi all,
> >>>>>
> >>>>>
> >>>>> I was under the impression
> > that if i have 2 routers connected back to
> >> back and i run ipsec over it,
> > routing protocols wont work. That was the
> >> main
> >> reason we use GRE. But now
> > when i reconfigured it on GNS3 and on real
> >> routers
> >> (1841), i saw that
> > neighbor adjcancies are working fine for all protocols.
> >> So
> >> its a bit
> > surprising for me
> >>>>>
> >>>>>
> >>>>> Blogs and organic groups at
> > http://www.ccie.net
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> >>>> Blogs and organic
> > groups at http://www.ccie.net/
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at
> > http://www.ccie.net/
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > --
> > Thanks &
> > Regards,
> > Adesh
> > +91 99996 10511 (Delhi)
> > +91 99860 10511 (Banglore)
> >
> >
> > Blogs and
> > organic groups at http://www.ccie.net/
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Dec 09 2012 - 13:01:27 ART