Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

L3VPN and IPsec

I have to ask if someone have any literature about How to make L3VPN, and use IPsec to encrypt traffic between L3VPN end nodes.

Thank you.

Petar

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Petar, For CE CE we're

Petar, 

For CE CE we're typically recommend GETVPN, still IPsec with GDOI for control plane. It does encrypt the IP header, but it preserves the original header. 

Vide: 

http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/prod_presentation0900aecd80582031.pdf

slide 9.

 

M.

 

M.

7 REPLIES

Hi Petar, I guess this is

Hi Petar,

 

I guess this is very typical kind of solution.... we can have l3vpn over GRE.... but you are looking for L3VPN over gre over ipsec, i guess it should not be an ideal solution to go with... but let me try if we can be able to do with...

 

Regards

Karthik

New Member

Maybe you didn't undersand me

Maybe you didn't undersand me or maybe I asked wrong question. Situation is next:

I need to connect customers sites (L3VPN), and encrypt traffic between those sites with IPsec. Is it possible or is there some other solution?

Best regards,

Petar

Cisco Employee

Petar,  Are you talking about

Petar, 

 

Are you talking about CE-CE or PE-PE encryption? 

Are we talking about encryption of "last mile" or end to end?

Are we talking about encrypting customer traffic or links?  

 

M.

New Member

Hi Marcin Latosiewicz and

Hi Marcin Latosiewicz and nkarthikeyan,

We are talkin about encrypting traffic between CE-CE routers, and encrypting customer traffic (just payload). In this case, I think, that we are not talking about IPsec tunnels, then we are talking about just about encryption of traffic (payload, not IP header).

Best regards,

Petar

Cisco Employee

Petar, For CE CE we're

Petar, 

For CE CE we're typically recommend GETVPN, still IPsec with GDOI for control plane. It does encrypt the IP header, but it preserves the original header. 

Vide: 

http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/prod_presentation0900aecd80582031.pdf

slide 9.

 

M.

 

M.

New Member

Thank you Marcin Latosiewicz.

Thank you Marcin Latosiewicz..I will try to do like this. I get the point. 

Thank you both Marcin Latosiewicz and nkarthikeyan

Best regards,

Petar

Hi Petar, As per my knowledge

Hi Petar,

 

As per my knowledge we cannot do it. Eventhough i can see the related ietf record for the same. But in real time scenario we do not have the possible solution.

http://tools.ietf.org/html/draft-ietf-l3vpn-rfc2547bis-03

 

We can have the L3VPN using GRE tunnel. But am not sure we can have the IPSec protection for the same.

 

Regards

Karthik

453
Views
0
Helpful
7
Replies
CreatePlease to create content