Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Site to site VPN IPSec

Hi to everyone,

Could someone tell me please if on site to site IPSec (Not GRE over IPSec) VPNs supported routing protocols?

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Site to site VPN IPSec

Hi,

Well, Site to Site does not support multicast traffic.

http://www.ietf.org/rfc/rfc2401.txt

4.1 Definition and Scope

   A Security Association (SA) is a simplex "connection" that affords
   security services to the traffic carried by it.  Security services
   are afforded to an SA by the use of AH, or ESP, but not both.  If
   both AH and ESP protection is applied to a traffic stream, then two
   (or more) SAs are created to afford protection to the traffic stream.
   To secure typical, bi-directional communication between two hosts, or
   between two security gateways, two Security Associations (one in each
   direction) are required.

   A security association is uniquely identified by a triple consisting
   of a Security Parameter Index (SPI), an IP Destination Address, and a
   security protocol (AH or ESP) identifier.  In principle, the
   Destination Address may be a unicast address, an IP broadcast
   address, or a multicast group address.  However, IPsec SA management
   mechanisms currently are defined only for unicast SAs.

The only possible mechanism is to use GRE over IPSec.

I hope this helps.

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269
11 REPLIES
New Member

Site to site VPN IPSec

Hi,

Well, Site to Site does not support multicast traffic.

http://www.ietf.org/rfc/rfc2401.txt

4.1 Definition and Scope

   A Security Association (SA) is a simplex "connection" that affords
   security services to the traffic carried by it.  Security services
   are afforded to an SA by the use of AH, or ESP, but not both.  If
   both AH and ESP protection is applied to a traffic stream, then two
   (or more) SAs are created to afford protection to the traffic stream.
   To secure typical, bi-directional communication between two hosts, or
   between two security gateways, two Security Associations (one in each
   direction) are required.

   A security association is uniquely identified by a triple consisting
   of a Security Parameter Index (SPI), an IP Destination Address, and a
   security protocol (AH or ESP) identifier.  In principle, the
   Destination Address may be a unicast address, an IP broadcast
   address, or a multicast group address.  However, IPsec SA management
   mechanisms currently are defined only for unicast SAs.

The only possible mechanism is to use GRE over IPSec.

I hope this helps.

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269

Re: Site to site VPN IPSec

Thank you very much for your help!

Is this type of VPN layer 2 or layer 3?

New Member

Site to site VPN IPSec

Cheers !!!!!!

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269

Re: Site to site VPN IPSec

One last question please....Is this type of VPN layer 2 or layer 3?

New Member

Re: Site to site VPN IPSec

IPSec is a Layer 3 VPN... Works on IP.

Layer 2 VPN are L2TP and PPTP.

Cheers!!!

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269

Re: Site to site VPN IPSec

thank you very much for your quick reply.

As I know L2TP and PPTP both are used for VPDNs? Is that correct?

New Member

Re: Site to site VPN IPSec

Yes. Thats correct.

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269

Re: Site to site VPN IPSec

Thank you very much for all. I appreciate your help!

New Member

Re: Site to site VPN IPSec

Have a good day mate.

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269

Re: Site to site VPN IPSec

However, IPsec SA management
   mechanisms currently are defined only for unicast SAs

Plus, if we're talking about ASA, dynamic routing is possible without GRE through the site-to-site tunnel (at least for OSPF) with explicit neighbour statements. But both endpoints should be ASAs.

Re: Site to site VPN IPSec

Hi, thank you very much for your help. Could you tell me please why on this .doc file shows that use eirgp over IPSec VPN? Is it something that I can't understand? Possible to router communication between the serial interfaces?

Chapter 8 Lab A, Configuring a Site-to-Site VPN Using Cisco

http://www.google.gr/#output=search&sclient=psy-ab&q=Chapter+8+Lab+A%2C+Configuring+a+Site-to-Site+VPN+Using+Cisco+IOS+and+SDM+Instructor+Version&oq=Chapter+8+Lab+A%2C+Configuring+a+Site-to-Site+VPN+Using+Cisco+IOS+and+SDM+Instructor+Version&gs_l=hp....

228
Views
10
Helpful
11
Replies
CreatePlease login to create content