Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT VPN

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to encrypt any-to-any IP and Multiprotocol Label Switching networks with Cisco expert Anand Nuggihalli. Anand is the product manager for Cisco Virtual Office. Nuggihalli has been with Cisco for more than 10 years, promoting Cisco IOS software based strategy and services including VPN, security, and Data-Link Switching Plus (DLSw+). Nuggihalli holds a bachelor of technology degree from Indian Institute of Technology, Madras, and a postgraduate diploma in management from Indian Institute of Management, Calcutta.

Remember to use the rating system to let Anand know if you have received an adequate response.

Anand might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through May 8, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

12 REPLIES
New Member

Re: ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT VPN

IPSec SA packets will be handled by VAM2+ card or Network Processor (NPE-G1/G2) in 7206VXR router??

Cisco Employee

Re: ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT VPN

Hello Umang, on Cisco 7200 routers you have two options: VAM2+ with NPE-G1/G2, and VSA with NPE-G2. VSA costs more upfront, but offers better price-to-performance. Using the NPE itself for IPsec is not recommended.

Thanks, Anand

Silver

Re: ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT VPN

So if I have Internet connections between locations that does not support routing of multicast traffic, does it mean that GET VPN is only beneficial if we have a private WAN?

Cisco Employee

Re: ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT VPN

Yes, GET VPN is for private WANs. If you have Internet-facing links, you can look into connecting them using DMVPN.

New Member

Re: ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT VPN

Hi Anand, I'm checking out features of GET VPN currently, soI thought I'd take this opportunity to as a few questions.

running with phase 1.1 12.4 (15)T8 ...

Changing an encryption SA ACL on the Key Server does not get changed on the GM unless a reauthentication takes place i.e. clear crypto gdoi . Will a TEK rekey (typically 1-24 hours) cause the changed ACL to be sent to the GM? Is there any way force the ACL download from the Key Server?

Thanks

Mick

Cisco Employee

Re: ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT VPN

Hi Mick, Please see http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_encrypt_trns_vpn.html#wp1150130. Table 1 list various commands and expected behavior. In short, depending on the specific change, rekey may or may not be sent; independent of this, changes may take effect immediately or at TEK expiry.

For ACLs specifically, changing them will result in rekey being sent out and changes become effective at the GMs immediately. If you delete them however, the behavior is a bit different. Please refer to the last column in the above table.

In general, if you require changes to take effect immediately, it would be best if you time the configuration activity just before the next rekey.

Hope that helps. Please email me if you have any questions.

Thanks, Anand

New Member

Re: ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT VPN

Hi Anand, another question using (phase 1.1) 12.4(15)T8 . I would like to use multiple Key Servers, but phase 1.2 12.4 (22)T onwards promises better functionality for COOP Key Servers. I tried to use 12.4 (22)T but COOP does not work properly yet. Is it worth staying with 15 T8 or can we expect fixes in a 12.4 (22)TX version soon?

Thanks

Mick

Cisco Employee

Re: ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT VPN

Hi Mick, 15T8 is recommended if you require mainline quality. You can use multiple KS reliably with 15T8 as well, although 22T does have some extra features. There was one issue with COOP KS that will be fixed in 22T2 target end June 2009.

Can you please send me an email describing the issues you are seeing with 22T? My email is anuggiha at cisco.

Thanks, Anand

New Member

Re: ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT VPN

Hi there.

Is it possible to encapsulate sna/dlsw traffic over a site to site vpn, maybe using gre?

Cisco Employee

Re: ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT VPN

Hi Joe, yes it is.

New Member

Re: ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT VPN

Could you send me a link to configure this type of setup. Specifically I am looking for configurations of a site to site vpn transporting SNA traffic.

Thanks

Cisco Employee

Re: ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT VPN

Hi Joe, we have not published this yet. Depending on the complexity of your requirement, you may want to schedule a CPOC. Please email me, anuggiha at cisco, and I'll share some guidelines.

250
Views
0
Helpful
12
Replies
CreatePlease to create content