DMVPN w/ IPsec - interesting traffic

Unanswered Question
Sep 7th, 2010
User Badges:
  • Bronze, 100 points or more

We have setup DMVPN hub an spoke configuration with IPsec enabled. This setup works very well.

I noticed when configuring a simple point-to-point VPN with IPsec [without DMVPN, just a simple point-to-point encrypted virtual link], you needed to specify "interesting traffic" to determine which data would be sent to the encryption/decription engine.


With DMVPN, it appear all traffic is encrypted and no way to utilize "interesting traffic" ACLs.


IS there a way to enable "interesting traffic" ACLs with IPsec on DMVPN or is it all or nothing?


I can post the config(s) if desired.

Tks

Frank

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Tue, 09/07/2010 - 12:27
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Frank,


the objective of mGRE is to provide a virtual flat subnet to run a routing protocol over it.


So there is no "interesting traffic" to be defined.


However, the use of multiple routing protocols (at least different processes), the one used on the WAN and the one used on the mGRE, allows for protection of traffic LAN to LAN between specific subnets.

This still allows to have unprotected traffic sent between other IP subnets, that are not advertised over the mGRE but are advertised over the WAN links in "clear text".

So it becomes a question of routing policies.


Hope to help

Giuseppe

webbb6656 Sat, 04/09/2016 - 14:07
User Badges:

So, in other words, anything that gets routed via the mGRE tunnel is considered interesting traffic, yes?

Actions

This Discussion