dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
5

Covenant
MVM
join:2003-07-01
England

Covenant to GM85

MVM

to GM85

Re: Need a Little help with Easy VPN

said by GM85:
I do have a quick question, When I was looking through the example configurations on the Cisco site, it seemed that GRE was what I wanted to try to configure, since it supported routing protocols. Does this type of IPSEC tunnel also support routing protocols? (basically, what's the difference between a GRE tunnel, and this type of tunnel?)
In a nutshell, the VPN tunnel never forwards the routing broadcasts through the tunnels. Neither do they send the routing updates. To send the routing updates (so that the remote location can learn the network on the local side) you must use IPSec over GRE. With this feature,the routing updates are first encapsulated over a new GRE packet and then forwarded through the VPN tunnel. This is useful and required if you are using OSPF, RIP, EIGRP in your internal network and need to build a routing tunnel.



Here's some more detail and links/differences between a pure IPSec vpn tunnel and a GRE over IPSec tunnel:

Pure IPSec vpn tunnel
=====================

In a pure IPSec vpn tunnel, only ip traffic is encrypted/decrypted.

If you have non ip traffic, example, ipx, then it is not able to go into the vpn tunnel.

OSPF, EIGRP, are not transferred in the tunnel.

The urls below might be helpful for you about IPSec,

»www.cisco.com/en/US/tech ··· 03.shtml

»www.cisco.com/en/US/nets ··· 272.html

»www.cisco.com/en/US/prod ··· f4c.html

GRE over IPSec vpn tunnel
=========================

In a GRE over IPSec vpn tunnel, the original packet whether ip, ipx, etc... is first going to be GRE encapsulated and then this packet is then subjected to IPSec encapsulation.

Therefore, in a GRE over IPSec tunnel, all routing traffic (ip and non ip) can be routed through because when the original packet (ip/non ip) is GRE encapsulated, then it will have an ip header (as defined by the GRE tunnel (normally the tunnel interface ip addresses)) then the IPSec protocol can understand the ip packet and and can therefore be able to encapsulate the GRE packet to make it GRE over IPSec.

please visit the urls below for more info.,

»www.cisco.com/en/US/tech ··· ba.shtml

»www.cisco.com/en/US/tech ··· 65.shtml



Last but not least, here's another link for a sample config. which uses GRE/IPSEC, CBAC and NAT but I am sure that you will be able to remove the CBAC if you do not want it.

Hope that helps.

»www.cisco.com/warp/publi ··· tip.html

nozero
Eschew Obfuscation
MVM,
join:1999-12-29
InnerSanctum

nozero

MVM,

The post above was added to the FAQ here: http://www.dslreports.com/faq/8228.