x*********n
发帖数: 28013 | 1 R1和R2,建立site to site VPN,
图一design,每一次customer要加新的private iP range,就要create IP accesslist。
现在我设计成图2.加了一个router,然后每一次加新的subnet,加到新的router上,然
后tunnel呢,仍然在原来的地方,只是每一个subnet都points to IPA 或者B上。
同事说这样不行,因为packet的source IP还是DEF。。。
我也不太确定,我觉得router A至少learn到了新的IP吧。 | s*****g
发帖数: 1055 | 2 Your colleague is right, to solve the problem you mentioned just use IPsec transport mode (aka, IPsec/GRE) instead of tunnel mode (aka, direct encapsulation). | m**t
发帖数: 1292 | 3 your colleague is right, the IPsec SPD policies are triggered by the IP
ranges. unless on the router you added, you will perform source NAT.
accesslist。
【在 x*********n 的大作中提到】
: R1和R2,建立site to site VPN,
: 图一design,每一次customer要加新的private iP range,就要create IP accesslist。
: 现在我设计成图2.加了一个router,然后每一次加新的subnet,加到新的router上,然
: 后tunnel呢,仍然在原来的地方,只是每一个subnet都points to IPA 或者B上。
: 同事说这样不行,因为packet的source IP还是DEF。。。
: 我也不太确定,我觉得router A至少learn到了新的IP吧。
| x*********n
发帖数: 28013 | | t*******r
发帖数: 3271 | 5 赛王真是个好人...........哥搞IPSEC VPN是N年前的事儿了.
N>=6 | p**x
发帖数: 123 | 6 even with ipsec/gre, why can't be done in tunnel mode?
transport mode (aka, IPsec/GRE) instead of tunnel mode (aka, direct
encapsulation).
【在 s*****g 的大作中提到】
: Your colleague is right, to solve the problem you mentioned just use IPsec transport mode (aka, IPsec/GRE) instead of tunnel mode (aka, direct encapsulation).
| s*****g
发帖数: 1055 | 7 You can, but what does that buy you? to have 20 bytes extra overhead? | p**x
发帖数: 123 | 8 maybe more secure and NAT friendly?;)
interesting that you mentioned IPsec/GRE, I suppose you meant gre over ipsec
since you picked transport mode. with that setup, it is also extra overhead
to provide encryption to routing protocol...i would probably do ipsec over
gre tunnels, so the gre takes care any multicast or broadcast stuff while
the encrypted traffic rides inside the tunnel. it's easier on cpu and memory
too. | s*****g
发帖数: 1055 | 9 I meant to say GRE/IPsec (GRE packet is encapsulated inside IP/ESP packet) to be exact ... with GRE/IPsec in tunnel mode you need 20 bytes more than in transport mode.
Can you explain how IPsec/GRE (which means ESP is encapsulated inside GRE) is configured in a typical Cisco box? and in this case how can multicast/broadcast traffic can be encrypted by IPsec before encaped by GRE? or how do you define IPsec "interesting" traffic?
ipsec
overhead
over
memory
【在 p**x 的大作中提到】
: maybe more secure and NAT friendly?;)
: interesting that you mentioned IPsec/GRE, I suppose you meant gre over ipsec
: since you picked transport mode. with that setup, it is also extra overhead
: to provide encryption to routing protocol...i would probably do ipsec over
: gre tunnels, so the gre takes care any multicast or broadcast stuff while
: the encrypted traffic rides inside the tunnel. it's easier on cpu and memory
: too.
| p**x
发帖数: 123 | 10 It's actually pretty much the same, only that you don't encrypt the entire
GRE tunnel in crypto acl, GRE only used as a carrier for IPsec traffic.
Configure ipsec security protocol, define esp or ah or both. Define
interesting traffic in crypto acl. Create gre tunnel, allow routing protocol
or static pass through between ipsec peers.
however, mcast/bcast along with routing protocols are only wrapped by gre,
and interesting(protected) traffic are wrapped by esp and gre. | s*****g
发帖数: 1055 | 11 Hmm, never tried this configuration before, so let's try to think in router's mind:
In GRE/IPsec case, when a packet comes in, router does ip lookup, next hop is GRE tunnel, so router encap's original packet with IP-GRE header, which subsequently triggers IPsec before the packet is placed on wire, the sequence makes perfect sense to me.
Now with IPsec/GRE case, when a packet comes in, it does route lookup, next hop has to be a tunnel interface in order to solve LZ's original problem, but then router will trigger IPsec first? how does your cryto ACL look like?
protocol
【在 p**x 的大作中提到】
: It's actually pretty much the same, only that you don't encrypt the entire
: GRE tunnel in crypto acl, GRE only used as a carrier for IPsec traffic.
: Configure ipsec security protocol, define esp or ah or both. Define
: interesting traffic in crypto acl. Create gre tunnel, allow routing protocol
: or static pass through between ipsec peers.
: however, mcast/bcast along with routing protocols are only wrapped by gre,
: and interesting(protected) traffic are wrapped by esp and gre.
| a***n
发帖数: 262 | 12 crypto map is old fashion, new way in Cisco is Virtual Tunnel Interface.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide
So basically, there are IPSec VPN, SSL VPN, Easy VPN, DMVPN, GET VPN, and
MPLS VPN(L2 or L3) in terms of VPN world.
Almost all of these VPNs could be integrated with VRF to further separate
traffic.
Now days, most firewall features are VRF aware too.
router's mind:
is GRE tunnel, so router encap's original packet with IP-GRE header, which
subsequently triggers IPsec before the packet is placed on wire, the
sequence makes perfect sense to me.
next hop has to be a tunnel interface in order to solve LZ's original
problem, but then router will trigger IPsec first? how does your cryto ACL
look like?
【在 s*****g 的大作中提到】
: Hmm, never tried this configuration before, so let's try to think in router's mind:
: In GRE/IPsec case, when a packet comes in, router does ip lookup, next hop is GRE tunnel, so router encap's original packet with IP-GRE header, which subsequently triggers IPsec before the packet is placed on wire, the sequence makes perfect sense to me.
: Now with IPsec/GRE case, when a packet comes in, it does route lookup, next hop has to be a tunnel interface in order to solve LZ's original problem, but then router will trigger IPsec first? how does your cryto ACL look like?
:
: protocol
| s*****g
发帖数: 1055 | 13 VTI just makes configuration easier for the users, but the underline
technology/principle does not change.
which
【在 a***n 的大作中提到】
: crypto map is old fashion, new way in Cisco is Virtual Tunnel Interface.
: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide
: So basically, there are IPSec VPN, SSL VPN, Easy VPN, DMVPN, GET VPN, and
: MPLS VPN(L2 or L3) in terms of VPN world.
: Almost all of these VPNs could be integrated with VRF to further separate
: traffic.
: Now days, most firewall features are VRF aware too.
:
: router's mind:
: is GRE tunnel, so router encap's original packet with IP-GRE header, which
|
|
