[c-nsp] Virtual Tunnel Interface - experiences?

Christian Zeng christian at zengl.net
Thu Nov 17 03:40:26 EST 2005


* Kevin Graham <mahargk at gmail.com> wrote:
>This said, consider using tunnel protection w/ GRE; config is the same
>the same as VTI, just specify encap gre in place of ipsec ipv4. You
>will have the obvious overhead of an additional encapsulation header,
>but you'll still have the configuration simplicity of VTI (and its a
>one-line change per tunnel should you decide to go w/VTI).

Thanks for the feedback.

Do you suggest using only GRE for securing/encapsulating the tunnel or
do you mean that the VTI/GRE tunnel is encapsulated with an additional
layer of IPSec?

When only using GRE, I'm concerned about tunnel security. At the moment,
we're authenticating IPSec tunnels from spokes with dynamic IP addresses
through IKE RSA sigs (certificates).

Having only GRE as the tunnel protocol: it wouldn't provide advanced
authentication/key exchange methods as IKE with certificates, would it?

When using IPSec on top of GRE encapsulated tunnel: How "generic" is the
cryptomap definition then? Does it only describe the traffic flow
between the GRE tunnel endpoints?

>The other big advantage is tunnel protection profiles (w/ GRE) have
>been supported since atleast 12.3 mainline (can't find it in FN to be
>sure futher back), so 12.3(14)T or 12.4 aren't a prerequisite.

Yes, running 12.4 is one of our major concerns. But anyway, show me a GD
release for 83x routers ;-)

>As you plan, keep in mind that crypto maps and tunnel protection do
>not play nicely together on the same router (atleast under early
>12.3's)...

Good point; from what I've seen in the testbed, both features wont
play together at all (cryptomap and VTI with IPSec tunnel protection).

Best regards,


Christian


More information about the cisco-nsp mailing list