08-28-2006 11:29 PM - edited 03-03-2019 01:48 PM
Hi.
I have question,
1)does IPSec support Multicaste capability ?
2)Why we configure IPsec tunnel into GRE tunnel ?
I have read one cisco documents as per doc , IPSec does not support IP multicast , but when we use netscreen firewall ( end to end ) IPsec tunnel on internet, this will routing internet, how this both things are different.
I hope you understand my queary.
-Minu
08-29-2006 12:53 AM
Hi Minu,
Ans 1. The IPSec, in IPSec Direct Encapsulation doesnt support.
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns130/c649/ccmigration_09186a0080685ce8.pdf
Ans 2. In order to get Multicast enabled across the VPN, we can use the Peer to Peer IPSec in GRE
Please visit for more info:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns656/c649/cdccont_0900aecd80402f07.pdf
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns130/c649/ccmigration_09186a0080685ce8.pdf
However your 3 question I couldnt understand very well, could you please elaborate.
Please feel free to revert back with any queries you might have.
Kind Regards,
Wilson Samuel
PS: Please rate if it helps.
08-29-2006 06:05 AM
Minu
If we are talking pure IPSec as per the standards then IPSec is for unicast IP traffic and does not support multicast.
For the most common of the Interior Routing Protocols (especially OSPF and EIGRP) they require multicast for their routing packets. So traditional IPSec did not support Interior routing protocols. The solution was to combine IPSec (not support multicast) with GRE which does support multicast to be able to route with OSPF or EIGRP over IPSec tunnels.
In recent releases Cisco has given an enhancement called Virtual Tunnel Interface and with VTI you run IPSec, do not run GRE, and it is able to support OSPF and EIGRP routing.
I am not clear what the Netscreen is doing. It would be logical that they might be translating all the local addresses to send them over the Internet. And if they were translating all the addrersses then they could establish connectivity over an IPSec tunnel which would provide connectivity to the networks on both ends and still not be running a routing protocol through the IPSec tunnel. If that is not what is happening then perhaps someone who has more experience with this vendor can clarify what is being done here.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: