WAN routing + packet assembler/disassembler

Unanswered Question
May 30th, 2009


In th HQ, I have a Cisco router connected to a security equipment (Crypto AG) that encrypt all the packet (including the header), the security equipment is connected to another Cisco router which is connected to IP/MPLS or Frame Relay Provider.


In the branch office, I have the same architecture.

Is there any why to make this architecture work (can ping from the 1st router in HQ to second router in branch office) ?

I was told that we can use PAD (packet assembler/disassembler) to communicate between the 2 routers in the same site

any advice will be helpfull.

thanks in advance.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Sat, 05/30/2009 - 09:16

Hello Lamine,

I think this kind of crypto devices are good only on dedicated links.

if they encrypt everything including the header how can the second router understand in which way to handle the resulting packet ?

An EoMPLS router could still try to forward the packet because it doesn't need to understand it but no ip routing is possible on a totally encrypted packet the ipv4 header should be left in clear text to be able to route it as it is done in the IPSec protocols with AH and ESP.

if instead you put the devices at the two ends of a dedicated link there is no problem traffic arrives decrypted at the destination router.

Hope to help


b_lamine81 Sun, 05/31/2009 - 01:57

Hi Giuseppe,

Many thanks for your reply.

But the problem is that the EoMPLS Router encapsulate a L2 frame received on an ingress interface, which is not the case. the router behind the Crypto device receive an ancrypted packets and it can't read the L2 header.



Giuseppe Larosa Sun, 05/31/2009 - 02:21

Hello Lamine,

what you say confirms my impression that you cannot have a router in the path between the two cypher devices.

if even the L2 header is encrypted these devices can interoperate only between them.

Hope to help



This Discussion