09-07-2010 11:58 AM - edited 03-04-2019 09:41 AM
We have setup DMVPN hub an spoke configuration with IPsec enabled. This setup works very well.
I noticed when configuring a simple point-to-point VPN with IPsec [without DMVPN, just a simple point-to-point encrypted virtual link], you needed to specify "interesting traffic" to determine which data would be sent to the encryption/decription engine.
With DMVPN, it appear all traffic is encrypted and no way to utilize "interesting traffic" ACLs.
IS there a way to enable "interesting traffic" ACLs with IPsec on DMVPN or is it all or nothing?
I can post the config(s) if desired.
Tks
Frank
09-07-2010 12:27 PM
Hello Frank,
the objective of mGRE is to provide a virtual flat subnet to run a routing protocol over it.
So there is no "interesting traffic" to be defined.
However, the use of multiple routing protocols (at least different processes), the one used on the WAN and the one used on the mGRE, allows for protection of traffic LAN to LAN between specific subnets.
This still allows to have unprotected traffic sent between other IP subnets, that are not advertised over the mGRE but are advertised over the WAN links in "clear text".
So it becomes a question of routing policies.
Hope to help
Giuseppe
04-09-2016 02:07 PM
So, in other words, anything that gets routed via the mGRE tunnel is considered interesting traffic, yes?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: