Cisco Support Community
Community Member

TED V3 and original source address in explorer packets

I was wondering if there is any interest in changing the current behaviour in Tunnel Endpoint Discovery, where the explorer packet uses the source address of the protected host rather than the address of the crypto router that is initiating the explorer packet.

The reason I ask is that we have a number of networks where remote sites/routers regularly poll a central site, and because tunnel initiation is always one way, we could use TED with private addresses at those sites and have the tunnels successfully build. The only problem is, given the existing behaviour with TED, the explorer packets are blocked by carriers because they are sourced from private address ranges.

I understand that the current option came about because of some issues that were encountered with routing asymmetry between the protected host and the crypto routers, but I'm not sure how common an issue that would be in most networks. At the moment, for remote sites with only one public address on the crypto router, the workarounds we use involves NAT and some extensive protocol/port based crypto ACL's which destrpys a lot of the flexibility of TED, and generates a lot of SA's

Before anyone asks, GRE of any flavour is not an option.

Cisco Employee

Re: TED V3 and original source address in explorer packets

I can't really speak for the developers but I don't believe much, if any work is being done on TED nowadays. I think Multipoint GRE is probably the preferred option in 12.2T code now (I understand you can't use this though).

As with any new enhancement request, all I can say is to contact your Account Manager and have him raise a business case for it. It will then be looked at thru the proper channels and acted upon.

CreatePlease to create content