Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
946
Views
10
Helpful
11
Replies

Site to site VPN IPSec

Go to solution
CHARALAMPOS TRIANTAFYLLIDIS
Level 1
Level 1

‎07-16-2013 10:51 PM - edited ‎02-21-2020 07:01 PM

Hi to everyone,

Could someone tell me please if on site to site IPSec (Not GRE over IPSec) VPNs supported routing protocols?

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Abhishek Purohit
Level 1
Level 1

‎07-16-2013 11:14 PM

Hi,

Well, Site to Site does not support multicast traffic.

http://www.ietf.org/rfc/rfc2401.txt

4.1 Definition and Scope

   A Security Association (SA) is a simplex "connection" that affords
   security services to the traffic carried by it.  Security services
   are afforded to an SA by the use of AH, or ESP, but not both.  If
   both AH and ESP protection is applied to a traffic stream, then two
   (or more) SAs are created to afford protection to the traffic stream.
   To secure typical, bi-directional communication between two hosts, or
   between two security gateways, two Security Associations (one in each
   direction) are required.

   A security association is uniquely identified by a triple consisting
   of a Security Parameter Index (SPI), an IP Destination Address, and a
   security protocol (AH or ESP) identifier.  In principle, the
   Destination Address may be a unicast address, an IP broadcast
   address, or a multicast group address.  However, IPsec SA management
   mechanisms currently are defined only for unicast SAs.

The only possible mechanism is to use GRE over IPSec.

I hope this helps.

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Abhishek Purohit
Level 1
Level 1

‎07-16-2013 11:14 PM

Hi,

Well, Site to Site does not support multicast traffic.

http://www.ietf.org/rfc/rfc2401.txt

4.1 Definition and Scope

   A Security Association (SA) is a simplex "connection" that affords
   security services to the traffic carried by it.  Security services
   are afforded to an SA by the use of AH, or ESP, but not both.  If
   both AH and ESP protection is applied to a traffic stream, then two
   (or more) SAs are created to afford protection to the traffic stream.
   To secure typical, bi-directional communication between two hosts, or
   between two security gateways, two Security Associations (one in each
   direction) are required.

   A security association is uniquely identified by a triple consisting
   of a Security Parameter Index (SPI), an IP Destination Address, and a
   security protocol (AH or ESP) identifier.  In principle, the
   Destination Address may be a unicast address, an IP broadcast
   address, or a multicast group address.  However, IPsec SA management
   mechanisms currently are defined only for unicast SAs.

The only possible mechanism is to use GRE over IPSec.

I hope this helps.

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269
0 Helpful

Go to solution
CHARALAMPOS TRIANTAFYLLIDIS
Level 1
Level 1
In response to Abhishek Purohit

‎07-16-2013 11:24 PM

Thank you very much for your help!

Is this type of VPN layer 2 or layer 3?

0 Helpful

Go to solution
Abhishek Purohit
Level 1
Level 1
In response to CHARALAMPOS TRIANTAFYLLIDIS

‎07-16-2013 11:28 PM

Cheers !!!!!!

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269
0 Helpful

Go to solution
CHARALAMPOS TRIANTAFYLLIDIS
Level 1
Level 1
In response to Abhishek Purohit

‎07-16-2013 11:31 PM

One last question please....Is this type of VPN layer 2 or layer 3?

0 Helpful

Go to solution
Abhishek Purohit
Level 1
Level 1
In response to CHARALAMPOS TRIANTAFYLLIDIS

‎07-16-2013 11:32 PM

IPSec is a Layer 3 VPN... Works on IP.

Layer 2 VPN are L2TP and PPTP.

Cheers!!!

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269

Go to solution
CHARALAMPOS TRIANTAFYLLIDIS
Level 1
Level 1
In response to Abhishek Purohit

‎07-16-2013 11:34 PM

thank you very much for your quick reply.

As I know L2TP and PPTP both are used for VPDNs? Is that correct?

0 Helpful

Go to solution
Abhishek Purohit
Level 1
Level 1
In response to CHARALAMPOS TRIANTAFYLLIDIS

‎07-16-2013 11:35 PM

Yes. Thats correct.

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269

Go to solution
CHARALAMPOS TRIANTAFYLLIDIS
Level 1
Level 1
In response to Abhishek Purohit

‎07-16-2013 11:36 PM

Thank you very much for all. I appreciate your help!

0 Helpful

Go to solution
Abhishek Purohit
Level 1
Level 1
In response to CHARALAMPOS TRIANTAFYLLIDIS

‎07-16-2013 11:38 PM

Have a good day mate.

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269
0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to Abhishek Purohit

‎07-17-2013 04:56 AM 

However, IPsec SA management
   mechanisms currently are defined only for unicast SAs

Plus, if we're talking about ASA, dynamic routing is possible without GRE through the site-to-site tunnel (at least for OSPF) with explicit neighbour statements. But both endpoints should be ASAs.

0 Helpful

Go to solution
CHARALAMPOS TRIANTAFYLLIDIS
Level 1
Level 1
In response to Andrew Phirsov

‎07-18-2013 01:59 AM

Hi, thank you very much for your help. Could you tell me please why on this .doc file shows that use eirgp over IPSec VPN? Is it something that I can't understand? Possible to router communication between the serial interfaces?

Chapter 8 Lab A, Configuring a Site-to-Site VPN Using Cisco

http://www.google.gr/#output=search&sclient=psy-ab&q=Chapter+8+Lab+A%2C+Configuring+a+Site-to-Site+VPN+Using+Cisco+IOS+and+SDM+Instructor+Version&oq=Chapter+8+Lab+A%2C+Configuring+a+Site-to-Site+VPN+Using+Cisco+IOS+and+SDM+Instructor+Version&gs_l=hp....

0 Helpful
Customers Also Viewed These Support Documents