Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

DMVPN w/ IPsec - interesting traffic

We have setup DMVPN hub an spoke configuration with IPsec enabled. This setup works very well.

I noticed when configuring a simple point-to-point VPN with IPsec [without DMVPN, just a simple point-to-point encrypted virtual link], you needed to specify "interesting traffic" to determine which data would be sent to the encryption/decription engine.

With DMVPN, it appear all traffic is encrypted and no way to utilize "interesting traffic" ACLs.

IS there a way to enable "interesting traffic" ACLs with IPsec on DMVPN or is it all or nothing?

I can post the config(s) if desired.

Tks

Frank

2 REPLIES
Hall of Fame Super Silver

Re: DMVPN w/ IPsec - interesting traffic

Hello Frank,

the objective of mGRE is to provide a virtual flat subnet to run a routing protocol over it.

So there is no "interesting traffic" to be defined.

However, the use of multiple routing protocols (at least different processes), the one used on the WAN and the one used on the mGRE, allows for protection of traffic LAN to LAN between specific subnets.

This still allows to have unprotected traffic sent between other IP subnets, that are not advertised over the mGRE but are advertised over the WAN links in "clear text".

So it becomes a question of routing policies.

Hope to help

Giuseppe

New Member

So, in other words, anything

So, in other words, anything that gets routed via the mGRE tunnel is considered interesting traffic, yes?

449
Views
0
Helpful
2
Replies
CreatePlease to create content