12-02-2005 03:49 AM - edited 03-09-2019 01:14 PM
Hello,
I have two sites and both of them have access to internet. Now I have to
make tunel between them so that hosts with private IP addresses can
comunicate directly without NAT.
1)Which is the best solution to use (GRE, L2TP or something else)?
2)Is it feasible that I have addresses from the same network on both sides
(i.e 10.10.0.0/16) ?
3)If I use GRE do I need one more public IP address from my provider on
interface towards the Internet (for tunnel)?
4)Is it possible to use the same connection and IP address towards my ISP,
and to tunnel only specific private addresses (i.e. 10.10.0.0) towards my
remote site? of course all other IP addresses have to be routed to
Internet.
Thanks
Solved! Go to Solution.
12-02-2005 06:05 AM
Antonio
There are several approaches which you might consider. Probably the most simple is to do GRE tunnels between the sites. GRE would allow you to send traffic between the sites without needing to translate addresses. GRE would allow you to run a routing protocol between the sites. A routing protocol would allow you to have addresses in the same address range at both sites as long as they do not overlap. By overlap I mean for example to have 10.10.5.0/25 at site 1 and also have the same subnet at site 2. In this case the only solution is to translate addresses.
GRE would allow the sites to communicate but does not provide much protection for the traffic. Depending on whether you need to provide protection for the traffic between sites you might want to consider IPSec which can provide protection. Until very recent releases IPSec would transport only unicast IP traffic which meant that you could not run a dynamic routing protocol over IPSec. Very recent releases allow routing protocols over IPSec. I have not yet had experience with this new feature so can not advise how well it works.
The traditional solution if you want protection for traffic and want a routing protocol has been to run IPSec with GRE tunnels. I have done a lot of this and it works quite well.
Whether it is GRE, IPSec, or IPSec with GRE you will need public IP addresses at the edge of both sites.
And with any of these solutions you can exchange traffic between sites and route other traffic to the Internet.
HTH
Rick
12-02-2005 09:56 PM
1) Yes one public IP for tunnel source and destination
2) Yes have a default to the link to the internet and pvt IPs of remote sites to GRE> No need of access-list as GRE is a logical interface unlike IPSec which is virtual.
3) This is a gud link to get u started for GRE over IPsec
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml
Gautam
12-02-2005 04:34 AM
1) GRE is the best
2) Yes you can have same address range as long as they dont clash
3) As both sides have internet and assuming you have static public IPs , you can create GRE using those IPs. No extra IPs needed
4) Yes you can do it.
12-02-2005 07:13 AM
Thank you.
So there is no chance that two sites have layer 2 connectivity over internet whichever tunnelling technic is in use? i.e. two sites have both 10.10.10.0/24 network and on one site host has address 10.10.10.2 and on the other site host has address 10.10.10.3. And that they can communicate without using NAT?
12-02-2005 06:05 AM
Antonio
There are several approaches which you might consider. Probably the most simple is to do GRE tunnels between the sites. GRE would allow you to send traffic between the sites without needing to translate addresses. GRE would allow you to run a routing protocol between the sites. A routing protocol would allow you to have addresses in the same address range at both sites as long as they do not overlap. By overlap I mean for example to have 10.10.5.0/25 at site 1 and also have the same subnet at site 2. In this case the only solution is to translate addresses.
GRE would allow the sites to communicate but does not provide much protection for the traffic. Depending on whether you need to provide protection for the traffic between sites you might want to consider IPSec which can provide protection. Until very recent releases IPSec would transport only unicast IP traffic which meant that you could not run a dynamic routing protocol over IPSec. Very recent releases allow routing protocols over IPSec. I have not yet had experience with this new feature so can not advise how well it works.
The traditional solution if you want protection for traffic and want a routing protocol has been to run IPSec with GRE tunnels. I have done a lot of this and it works quite well.
Whether it is GRE, IPSec, or IPSec with GRE you will need public IP addresses at the edge of both sites.
And with any of these solutions you can exchange traffic between sites and route other traffic to the Internet.
HTH
Rick
12-02-2005 07:04 AM
Thanks a lot.
I can use only one public address on each site for both internet access and GRE tunnel? And traffic is routed toward internet or to other site by static routing? (or maybe differentiation can be made with access list (I know that this can be done for IPSec))? I was trying to find some configuration guide for GRE on Cisco site but I was unable to find anything useful.
Thanks again
Antonio
12-02-2005 09:56 PM
1) Yes one public IP for tunnel source and destination
2) Yes have a default to the link to the internet and pvt IPs of remote sites to GRE> No need of access-list as GRE is a logical interface unlike IPSec which is virtual.
3) This is a gud link to get u started for GRE over IPsec
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml
Gautam
12-03-2005 04:21 AM
Yes there is a L2TP tunneling as well. This is known as L2TP client Initiated tunneling. It may help you.
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a7592.html
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: