DMVPN w/ IPsec - interesting traffic

fsebera · ‎09-07-2010

We have setup DMVPN hub an spoke configuration with IPsec enabled. This setup works very well.

I noticed when configuring a simple point-to-point VPN with IPsec [without DMVPN, just a simple point-to-point encrypted virtual link], you needed to specify "interesting traffic" to determine which data would be sent to the encryption/decription engine.

With DMVPN, it appear all traffic is encrypted and no way to utilize "interesting traffic" ACLs.

IS there a way to enable "interesting traffic" ACLs with IPsec on DMVPN or is it all or nothing?

I can post the config(s) if desired.

Tks

Frank

Giuseppe Larosa · ‎09-07-2010

Hello Frank,

the objective of mGRE is to provide a virtual flat subnet to run a routing protocol over it.

So there is no "interesting traffic" to be defined.

However, the use of multiple routing protocols (at least different processes), the one used on the WAN and the one used on the mGRE, allows for protection of traffic LAN to LAN between specific subnets.

This still allows to have unprotected traffic sent between other IP subnets, that are not advertised over the mGRE but are advertised over the WAN links in "clear text".

So it becomes a question of routing policies.

Hope to help

Giuseppe

webbb6656 · ‎04-09-2016

So, in other words, anything that gets routed via the mGRE tunnel is considered interesting traffic, yes?