|
| ||||
 |
|
Home | Reviews | Tools | Forums | FAQs | Find Service | ISP News | Maps | About |
|
how-to block ads |
Suggested prerequisite reading »Cisco Forum FAQ »Setting Up Private Site-To-Site Connections Introduction IPSec VPN tunnel is one way of setting up private site-to-site connection by utilizing public network (the Internet). Since it is utilizing public network, there would be no need to have dedicated physical circuit to interconnect the sites, hence requiring low cost to setup while maintain private and secure connection. With site-to-site IPSec VPN, there is a IP routing in place to interconnect multiple subnet. This IP routing could be static routing or dynamic routing. In a small network where there is only one path connecting two sites, then static routing should be sufficient. When there are multiple paths connecting two sites, then dynamic routing (i.e. EIGRP, OSPF) and/or load balancing (either per-packet or per-destination) should be used to have optimal connection. Note that IPSec tunneling technology is only able to support static routes and basic IP interconnection. When there are more advance IP interconnections needed; such as running Novell IPX, dynamic routing, and load balancing between the sites; then IPSec tunneling itself is unable to support. For such advance IP interconnections, GRE tunneling is the choice. The downside of GRE tunneling is that GRE tunnel is less-secure tunnel compared to IPSec tunnel. Should you decide to have advance IP interconnection support while maintain secure connection over public network, the workaround is to run GRE over IPSec. IPSec will then be encrypting the GRE tunnel securely and GRE tunnel will be providing the advance IP interconnection support. Some Discussions said by Gramzster: -------------------------------------------------------------------------------- I do have a quick question, When I was looking through the example configurations on the Cisco site, it seemed that GRE was what I wanted to try to configure, since it supported routing protocols. Does this type of IPSEC tunnel also support routing protocols? (basically, what's the difference between a GRE tunnel, and this type of tunnel?) -------------------------------------------------------------------------------- In a nutshell, the VPN tunnel never forwards the routing broadcasts through the tunnels. Neither do they send the routing updates. To send the routing updates (so that the remote location can learn the network on the local side) you must use GRE over IPSec. With this feature, the routing updates are first encapsulated over a new GRE packet and then forwarded through the VPN (IPSec) tunnel. This is useful and required if you are using OSPF, RIP, EIGRP in your internal network and need to build a routing tunnel. -------------------------------------------------------------------------------- Here's some more detail and links/differences between a pure IPSec VPN tunnel and a GRE over IPSec tunnel: Pure IPSec vpn tunnel ===================== In a pure IPSec vpn tunnel, only ip traffic is encrypted/decrypted. If you have non ip traffic, example, ipx, then it is not able to go into the vpn tunnel. OSPF, EIGRP, are not transferred in the tunnel. The url below might be helpful for you about IPSec, An Introduction to IP Security (IPSec) Encryption GRE over IPSec vpn tunnel ========================= In a GRE over IPSec vpn tunnel, the original packet whether ip, ipx, etc... is first going to be GRE encapsulated and then this packet is then subjected to IPSec encapsulation. Therefore, in a GRE over IPSec tunnel, all routing traffic (ip and non ip) can be routed through because when the original packet (ip/non ip) is GRE encapsulated, then it will have an ip header (as defined by the GRE tunnel (normally the tunnel interface ip addresses)) then the IPSec protocol can understand the ip packet and and can therefore be able to encapsulate the GRE packet to make it GRE over IPSec. please visit the urls below for more info., Which VPN Solution is Right for You? How Virtual Private Networks Work -------------------------------------------------------------------------------- Implementation 1. Network Devices that support GRE tunnel terminations Since GRE tunnel involves routing and routing protocols, by nature GRE tunnel is supported by routers and not firewall or IPSec VPN Concentrator. IPSec VPN tunnel on the other hand involves encryption, therefore by nature IPSec VPN tunnel is supported by IPSec VPN Concentrator. In vendor implementation, some firewall and router also support IPSec VPN tunnel creation. On Cisco implementation, Cisco routers use Tunnel interfaces as the GRE tunnel. The procotol used is industry-standard GRE (Protocol 47). You can check out more info about GRE protocol on RFC 2784 As to IPSec VPN tunnel implementation on Cisco devices, there are crypto ipsec and crypto isakmp statements on any commands that relate to IPSec VPN tunnel configuration on either Cisco router, PIX, or ASA. The protocol used is combination of industry-standard ESP (Protocol 50), AH (Protocol 51), UDP port 500 (standard ISAKMP), and UDP port 4500 (non-standard ISAKMP). You can check out more info about those protocols on RFC 2460: ESP, RFC 4302: AH, and RFC 2408: ISAKMP. 2. MTU Size Regardless of IPSec VPN tunnel presence, there is typically a need to adjust MTU size once you consider to implement GRE tunnel within your network since GRE tunnel takes up about 24 bytes. In Ethernet network where MTU size is 1500 bytes, you need to configure the router Ethernet interfaces to have MTU maximum size of 1476 bytes (1500 - 74). Check out the following link for details. Why Can't I Browse the Internet when Using a GRE Tunnel? Illustration Following is a list of sample configurations as illustrations on Cisco implementation of either just IPSec VPN tunnel or GRE over IPSec VPN tunnel. Sample Configurations »Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall »Cisco Forum FAQ »Private Routing over VPN: NAT/PAT, GRE, IPSec Sample Configurations Hope that helps. This FAQ was brought to you by this post http://www.dslreports.com/forum/remark,8108888~root=equip,cis~mode=flat#8176897 by Covenant  .
 got feedback?by nozero | |||||
| Monday, 06-Feb 22:38:45 | Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo over 12.5 years online! © 1999-2012 dslreports.com. |
