07-16-2013 10:51 PM - edited 02-21-2020 07:01 PM
Hi to everyone,
Could someone tell me please if on site to site IPSec (Not GRE over IPSec) VPNs supported routing protocols?
Thank you.
Solved! Go to Solution.
07-16-2013 11:14 PM
Hi,
Well, Site to Site does not support multicast traffic.
http://www.ietf.org/rfc/rfc2401.txt
4.1 Definition and Scope
A Security Association (SA) is a simplex "connection" that affords
security services to the traffic carried by it. Security services
are afforded to an SA by the use of AH, or ESP, but not both. If
both AH and ESP protection is applied to a traffic stream, then two
(or more) SAs are created to afford protection to the traffic stream.
To secure typical, bi-directional communication between two hosts, or
between two security gateways, two Security Associations (one in each
direction) are required.
A security association is uniquely identified by a triple consisting
of a Security Parameter Index (SPI), an IP Destination Address, and a
security protocol (AH or ESP) identifier. In principle, the
Destination Address may be a unicast address, an IP broadcast
address, or a multicast group address. However, IPsec SA management
mechanisms currently are defined only for unicast SAs.
The only possible mechanism is to use GRE over IPSec.
I hope this helps.
Regards,
Abhishek Purohit
CCIE-S- 35269
07-16-2013 11:14 PM
Hi,
Well, Site to Site does not support multicast traffic.
http://www.ietf.org/rfc/rfc2401.txt
4.1 Definition and Scope
A Security Association (SA) is a simplex "connection" that affords
security services to the traffic carried by it. Security services
are afforded to an SA by the use of AH, or ESP, but not both. If
both AH and ESP protection is applied to a traffic stream, then two
(or more) SAs are created to afford protection to the traffic stream.
To secure typical, bi-directional communication between two hosts, or
between two security gateways, two Security Associations (one in each
direction) are required.
A security association is uniquely identified by a triple consisting
of a Security Parameter Index (SPI), an IP Destination Address, and a
security protocol (AH or ESP) identifier. In principle, the
Destination Address may be a unicast address, an IP broadcast
address, or a multicast group address. However, IPsec SA management
mechanisms currently are defined only for unicast SAs.
The only possible mechanism is to use GRE over IPSec.
I hope this helps.
Regards,
Abhishek Purohit
CCIE-S- 35269
07-16-2013 11:24 PM
Thank you very much for your help!
Is this type of VPN layer 2 or layer 3?
07-16-2013 11:28 PM
Cheers !!!!!!
Regards,
Abhishek Purohit
CCIE-S- 35269
07-16-2013 11:31 PM
One last question please....Is this type of VPN layer 2 or layer 3?
07-16-2013 11:32 PM
IPSec is a Layer 3 VPN... Works on IP.
Layer 2 VPN are L2TP and PPTP.
Cheers!!!
Regards,
Abhishek Purohit
CCIE-S- 35269
07-16-2013 11:34 PM
thank you very much for your quick reply.
As I know L2TP and PPTP both are used for VPDNs? Is that correct?
07-16-2013 11:35 PM
Yes. Thats correct.
Regards,
Abhishek Purohit
CCIE-S- 35269
07-16-2013 11:36 PM
Thank you very much for all. I appreciate your help!
07-16-2013 11:38 PM
Have a good day mate.
Regards,
Abhishek Purohit
CCIE-S- 35269
07-17-2013 04:56 AM
However, IPsec SA management mechanisms currently are defined only for unicast SAs
Plus, if we're talking about ASA, dynamic routing is possible without GRE through the site-to-site tunnel (at least for OSPF) with explicit neighbour statements. But both endpoints should be ASAs.
07-18-2013 01:59 AM
Hi, thank you very much for your help. Could you tell me please why on this .doc file shows that use eirgp over IPSec VPN? Is it something that I can't understand? Possible to router communication between the serial interfaces?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide