Solved: Gre over IPSEC

Vlad Olteanu · ‎07-20-2010

Hi guys,

I am in the situation of connecting two buildings with 2x34 Mbps links and I am being requested to encrypt the data traffic , but not teh voice traffic.

I have 4x3845s for this task and I have some ideas on how to do it , but if you can guide me in the right direction , maybe those of you that have already dealt with this !

The data transfer will consist in file copying on FTP or RDP sessions from one building to the other , cross backup between these sites only.

Thanks ,

Regards,

Vlad

Richard Burts · ‎07-20-2010

Vlad

If you need to provide redundancy that does complicate the situation a bit. I think that you could probably set up IP SLA to track reachability through the other router at the site

I had thought about the suggestion of having the access list in IPSec VPN to identify interesting traffic deny voice traffic and permit data traffic and that is a very reasonable approach. If you took this approach perhaps you could then run some routing protocol which could detect when the other router at a site had lost its connection between sites.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎07-20-2010

Vlad

If you have 2 circuits and 4 routers then an appealing solution would be to use Policy Based Routing to send voice traffic over one circuit and send data traffic over the other circuit. You could then configure IPSec VPN on the data circuit which would encrypt the data traffic.

HTH

Rick

HTH

Rick

Mohamed Sobair · ‎07-20-2010

Adding to Ric's reply:

If you still have one outgoing connection and you would like the Data to be encrypted without the Voice, just have your IPsec VPN configuration normally. and configure your interesting traffic to match Data Traffic Only without the Voice.

With the above, the Data traffic will be sent to destination encrypted while the voice traffic will be sent un encrypted.

HTH

Mohamed

Vlad Olteanu · ‎07-20-2010

Thank you both!

I would have some unclarity tho'.

I have 2 routers @ one site and 2 routers @ the other site, 2 links between these routers. If I do policy routing and route traffic based on destination, how will one router know if the other router is down or unreacheable?

I have never done this before so I am thinking which would be the most appropriate and practical solution for me .

Vlad

Richard Burts · ‎07-20-2010

Vlad

If you need to provide redundancy that does complicate the situation a bit. I think that you could probably set up IP SLA to track reachability through the other router at the site

I had thought about the suggestion of having the access list in IPSec VPN to identify interesting traffic deny voice traffic and permit data traffic and that is a very reasonable approach. If you took this approach perhaps you could then run some routing protocol which could detect when the other router at a site had lost its connection between sites.

HTH

Rick

HTH

Rick

Vlad Olteanu · ‎07-20-2010

Rick ,

Thanks a lot!

Yes , I was giving this a thought and I think I am going to stick to this approach.I was thinking of this as well , but I was not sure it would be the best , but it seems to me I do not really have to many options to chose here .

And frankly I don't want anything that would complicate my life too much!

Regards,

Vlad