[c-nsp] Design - gre+ipsec+vpnsm+fwsm+vrf

Ge Moua moua0100 at umn.edu
Thu Mar 8 16:15:02 EST 2007 

Szilard-
This is what I'm thinking for your situation:
- substitute the 7200 for your VPN SPA (we also initially considered using
this as well)
- FWSM is in transparent mode (layer 2) running 3.1(4)
- Cat6k/Sup720 running: 12.2(18)SXF5
- be sure to use vrf-aware IPSec (config very different from "plain" non-vrf
IPSec)
- we are also doing VRF lite on the 7200 to be able to use RRI
(reverse-route injection) so that static routes (for the nets behind far
side VPN gateway) are created on the fly (I like this because this mitigates
routing configuration with VPN); other options could be tp use dynamic
routing over GRE or just static routes

Hopefully the drawing was helpful.  Good luck.

:-)
Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services
2218 University Ave SE | Minneapolis, MN 55414-3029

-----Original Message-----
From: gmredmond at gmail.com [mailto:gmredmond at gmail.com] On Behalf Of Szilard
Csordas
Sent: Thursday, March 08, 2007 2:09 PM
To: Ge Moua
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Design - gre+ipsec+vpnsm+fwsm+vrf

Nice drawing,thanks.

Additionally we want to move the VPN stuff to the 65k boxes as well, and you
solved it with 7200. I suppose the dotted red line is the IPSec traffic,
terminated on the 7200 and the green part is unencrypted.
May I ask you what IOS and FWSM software are you using?

thx,
Szilard


On 3/8/07, Ge Moua <moua0100 at umn.edu> wrote:
> We are doing very similar to what you described for your situation.  
> See attached file.
>
>
>
> :-)
> Regards,
> Ge Moua | Email: moua0100 at umn.edu
>
> Network Design Engineer
> University of Minnesota | Networking & Telecommunications Services
> 2218 University Ave SE | Minneapolis, MN 55414-3029
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Szilard 
> Csordas
> Sent: Thursday, March 08, 2007 12:20 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Design - gre+ipsec+vpnsm+fwsm+vrf
>
> Hello,
>
> We are in a quite complex situation and as always we don't have a real 
> lab to test it.
> We did the design on paper but I am not sure if it works.
>
> 65k, sup720+FW+vpn spa. Let's say it has 2 sides, left and the right.
> If I terminate a GRE+IPSec tunnel (tunnel protection) on the right 
> side, I want the traffic to flow through the firewall module (routed 
> or transparant) and to push that traffic into the other GRE+IPsec tunnel
on the left side.
> Is that possible with one box or do I have to split the functions to 
> more devices.
>
> To compicate matters further what happens if I want that Tunnel 
> interfaces to be in the VRFs (no mpls)?
>
> Any advice is appreciated.
>
> thanks,
> Szilard
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list