IPSec over WAN

Answered Question
May 12th, 2008

Hi,

I wonder if I can implement IPSec (L3 protocol) over L2 WAN technologies such as frame-relay or ATM?

R/ Haitham

Correct Answer by Richard Burts about 8 years 9 months ago

Haitham

The decision whether to use a dedicated link within the organization or to use routing over the Internet is a somewhat complex decision and there are many factors to be considered. Some of these factors include the difference in having a link where you have 100% of the resource or having a link where you share the resource with others.

Another consideration may be reliability and ease of troubleshooting. With a Frame Relay link if there is a problem it is easier to find and you know exactly who is responsible to fix it if there is a problem. With a link through the Internet it gets complex. I have a customer who uses Internet based VPNs to get to a number of remote locations. Recently there was a remote location that was down for hours and hours because some provider in the Internet was having problems in their network. It was very difficult to identify exactly what the problem was and even more difficult to determine who should have responsibility for it. In many cases an organization will consider factors such as this and determine that it is worth the larger expense to get something like Frame Relay.

So how much is it worth to your organization to increase the reliability and to have someone who is clearly accountable when there is a problem?

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Richard Burts Mon, 05/12/2008 - 10:19

Haitham

Perhaps you can clarify your question a bit. When you talk about L2 WAN such as Frame Relay, are you intending to treat the Frame Relay link as a routed link (as it usually is) or are you talking about keeping everything at layer 2 and not having layer 3 on the link (which is essentially a bridging solution if I understand you correctly)?

If you are going to assume that there is layer 3 IP running over the Frame Relay or ATM link then it is quite possible to run IPSec over them. If you really intend to keep everything at layer 2 then perhaps you can describe your environment a bit better.

HTH

Rick

haithamnofal Mon, 05/12/2008 - 13:13

Hi Rick,

Thanks for your response. Basically, yes I am intending to run L3 over the WAN. But my question to you if I am implementing IPSec for security over the WAN, what will be the advantage of acquiring a WAN connectivity such as frame-relay over running site-to-site VPN over my normal internet link?

Shouldn't Site-to-Site VPN save me the cost of the WAN? What is the real advatage of having a dedicated WAN connectivity in my company?

Thanks!

R/ Haitham

Correct Answer
Richard Burts Mon, 05/12/2008 - 13:37

Haitham

The decision whether to use a dedicated link within the organization or to use routing over the Internet is a somewhat complex decision and there are many factors to be considered. Some of these factors include the difference in having a link where you have 100% of the resource or having a link where you share the resource with others.

Another consideration may be reliability and ease of troubleshooting. With a Frame Relay link if there is a problem it is easier to find and you know exactly who is responsible to fix it if there is a problem. With a link through the Internet it gets complex. I have a customer who uses Internet based VPNs to get to a number of remote locations. Recently there was a remote location that was down for hours and hours because some provider in the Internet was having problems in their network. It was very difficult to identify exactly what the problem was and even more difficult to determine who should have responsibility for it. In many cases an organization will consider factors such as this and determine that it is worth the larger expense to get something like Frame Relay.

So how much is it worth to your organization to increase the reliability and to have someone who is clearly accountable when there is a problem?

HTH

Rick

Actions

This Discussion