Hi,

              I m using Services SPA Carrier-400 .But bit doubtful about the configuration . what u say if I wll try to configure it with SDM .

thanx and regards,

Taran

Hello Taran,

I don't think SDM supports IPSEC SPA configuration, but I'm a CLI adept.

Read carefully the configuration chapter provided by Jon, then try to describe an example of IPSec protection that you would like to implement.

Hope to help

Giuseppe

HI,

       Thanx for reply. Me too also cli guy but i was thinking that sdm may be fine but wll now go with cli and i m bit doubtful about my conf because i m running bgp over my all links including mpls and p2p. let me try that and if u have some conf in ur mind then plz help me because i m not much familiar with this concept in core.

thanx and regards,

Taran

HI ,

            Actually I m doubtfull about conf. Because we are having mpls connectivity like hub and spokes , means one site is connected to 20 sites and all those sites also access data between each other without reaching hub location.we are at client site and now we have P2P links to all those sites. All sites running BGP between themselves. So according to our requirements we have to implement ipsec over gre. I m not sure about it.

Thanx and Regards,

Taran

Hello Taran,

it is not clear you have an MPLS L3 VPN service or an MPLS L2 VPN service with point-to-point links

>> all those sites also access data between each other without reaching hub location.

this can be a L3 VPN with basic any-to-any  connectivity or a L2 VPLS

>> now we have P2P links to all those sites

this is more similar to L2 VPN point-to-point service or are these for backup?

In anycase the notes are:

if you have an MPLS L3 VPN and you only to implement hub and spoke (you don't want remote sites to talk directly) this can be done by service provider with few changes on its side.

if you really need encryption you should consider DMVPN that combines IPSec and multipoint GRE to achieve better scalability

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG.html

the idea is to protect=encrypt traffic between LAN IP subnets of central site and remote sites.

BGP should be used to advertise IPSec endpoints and non secure subnets (if any)

Edit:

I've checked that DMVPN phase2 is supported on the IPSEC SPA.

to implement a true hub and spoke without spoke to spoke dynamic tunnels the best choice is to use EIGRP over the virtual lan segment created by multipoint GRE

Hope to help

Giuseppe

Hi,

         Thanx for instant reply. Actually , we are running BGP peering with ISP at all sites even on the core.But i just mentioned that its like as hub and spoke but not acting like this because all other sites even connecting with core site but those can reach each other without going to core and now we have p2p links to all those sites also running BGP . these are for load sharing and redundancy. I m thinking about DMVPN but bit confused about its conf and working . What u say about it?

thanx and regards,

Taran

Hello Taran,

a minimal lab to test and learn DMVPN would require three routers, one acting as hub and other two that are your spokes.

To simplify your setup you can use a shared key.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml

this may be of help in setting up the lab.

Later, you can try to add the IPSec SPA to the picture and to use a CA server (to use certificates)

if  you are new to IPSec a preliminary step may be to perform a lab with point-to-point GRE over IPSec

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

this document provides you examples of point to point GRE protected by IPSec and using EIGRP.

This should be used for comparison and also can be considered a possible design if there are only 20 sites, and you don't need spoke to spoke communication.

This may be more familiar to you.

Hope ot help

Giuseppe

Hi, 

            Thanx for reply, The link of DMVPN url was too good. But i have some confusions.I m running BGP on all sites and the other thing is each site communicates with other sites without reaching core site or we can say HUB site. On each site i have different IP scheme. I think it wll work even i wll implement this with BGP, I dont think there is any need to implement to other protocol like Eigrp. And also doubtful that when i wll implement IPSEC over GRE then it can create reachability issues, will any site lose connectivity while implementing this because i have to do all of this on live project.

thanx and regards,

Taran