I know that standard site to site ipsec vpns cannot run routing protocols over them but would like to know why the cannot, e.g what is the physical reason multicast cannot run over them? Is this due to the VPN being strictly peer to peer? This brings me to asking why, when using gre/ipsec tunnels multicast can run over it no problem. Is this due to the virtual interface?
In principle, IPsec can also transport multicast. The problem is more or less that the initial standards did not include much for multicast. Some quotes from relevant RFCs:
RFC 2401: Security Architecture for the Internet Protocol 4.1 Definition and Scope In principle, the Destination Address may be a unicast address, an IP broadcast address, or a multicast group address. However, IPsec SA management mechanisms currently are defined only for unicast SAs. Hence, in the discussions that follow, SAs will be described in the context of point-to-point communication, even though the concept is applicable in the point-to-multipoint case as well.
RFC 5406: Guidelines for Specifying the Use of IPsec Version 2 7. Broadcast and Multicast Although the designers of IPsec tried to leave room for protection of multicast traffic, a complete design wasn't finished until much later. As such, many IPsec implementations do not support multicast. [RFC5374] describes extensions to IPsec to support it. Other relevant documents include [RFC3830], [RFC3547], and [RFC4535]. Because of the delay, protocol designers who use multicast should consider the availability of these extensions in target platforms of interest.
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...