IPSEC/GRE vs IPSEC Alone

dladen · ‎05-08-2007

What am I forfeiting if I move from a IPSEC/GRE tunnel to a IPSEC-only tunnel. I was looking at EzVPN or DMVPN. I know I lose non-IP and multicast but how does that equate to the user's experience. We are using IP exclusively.

-Will I need to use static routes.

-Will I lose the ability to host VoIP.

-Will a Windows network continue to function.

-Are there well-known applications that require Multicast.

Thanks,

Dan

sebastan_bach · ‎05-09-2007

hi dan without gre u lose ip connectivity. u can still achieve that with the help of RRI reverse route injection.

for dmvpn it;s must that u congiure to get routing reachability between the spokes.

pls specify in detail what are u looking for.

regards

sebastan

Vikas Saxena · ‎05-12-2007

You use GRE with IPSeC to encrypt broadcast and Multicast.

Multicast is mainly used with the routing protocols or other Video and audio applications.

Broadcast is extensively used in windows network for Netbios 137,138 and 139 UDP ports.

With Pure IPSEC you will not face any problem with your windows network however master browser services will not work (netbios uses broadcast to register the different services). You will be able to use \\server ip\share feature tho. If you can use the Wins server of the other side then you can optimize it.

Voip will not have any problem.

GRE/DMVPN integrates your remote brances seamlessly in your network through routing protocols however with Pure IPSec you will need to do this yourself.

How about Virtual Tunnel Interfaces?

-Vikas

dladen · ‎05-14-2007

I have heard of Virtual Tunnel interface but did not think I can use them with one end terminating on an ASA firewall.

Thank you for the information.