Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
626
Views
0
Helpful
4
Replies

GRE and IPSec

karl.jones
Level 1
Level 1

‎01-23-2003 09:37 AM - edited ‎02-21-2020 12:18 PM

Hi All

I have discussed with my reseller about creating VPN intranets, and he said that if we needed to route between spoke sites, implement GRE with IPSEC. We was going to use a pix515e to terminate RAS VPN's, Intranet VPN's and extranet VPN's but I beleive that you cant route from one spoke site to another spoke site through a hub pix. Hence the recommendation of GRE/IPSEC into a 3600 router at the hub site. Is this the correct recommendation for Intranet VPN's or can we get it done through the pix, we are using EIGRP on the WAN and for corporate remote sites would like to integrate the RP over VPN/3DES.

We will also be implementing extranet VPN's, and I beleive these would be better connecting to the pix?.

Thanks in advance

KJ

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎01-23-2003 05:40 PM

The PIX won't do GRE/IPSec, nor will you be able to use the PIX as a hub and have spoke-to-spoke communication thru it, so a 3600 is probably the better option in your case.

If by "extranet VPN's" you mean external VPn connection across the Internet, you can terminate these into either the PIX or the 3600, doesn't really matter. If you need routing over these though, you'll have to use the 3600 with GRE/IPSec.

0 Helpful

karl.jones
Level 1
Level 1
In response to gfullage

‎01-26-2003 12:17 PM

Hi

Thanks for reply. I beleive you can terminate the GRE tunnel between a spoke router and a router at the CO behind the hub pix, so the pix is essentially allowing passthru of the gre tunnel. If this is the case, If I am creating gre tunnels from spoke routers to the router behind the hub pix, will the spoke routers be able to communicate going through the pix. If no, how come?

I am sure I need a router here but am confured as to why

Regards

0 Helpful

vcjones
Level 5
Level 5
In response to karl.jones

‎01-26-2003 07:53 PM

No problem communicating spoke router through hub pix to hub router through hub pix to another spoke router. The PIX just sees two GRE tunnels running through its IPsec tunnels and has no idea what the real destination of any of the tunneled traffic is. What you cannot do is go from spoke router to hub pix back out the same interface on the PIX. You have go through the PIX and make the "U turn" in an inside router.

You've already read the white paper on redundant VPN routing on my web site (you seem to be doing a lot of VPN routing, or at least posting lots of questions, so I will not repeat answers I've already posted to your prior questions). But in this environment, the BGP approach would only work if you implemented a full mesh of IPsec tunnels (so the spokes could communicate directly). To get a good handle on what is happening, walk through a packet going from site to site and see what each box sees, including source and destination address of the packets going into and out of each box. With an hour or two of effort, you'll see that the rules are really quite simple and the consequent limitations are "obvious."

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

0 Helpful

karl.jones
Level 1
Level 1
In response to vcjones

‎01-27-2003 02:19 AM

Thankyou for your answers,

Best regards

KJ

0 Helpful
Customers Also Viewed These Support Documents