[c-nsp] GRE over IPSec

Varaillon Jean Christophe j.varaillon at cosmoline.com
Mon Sep 29 08:27:15 EDT 2008


Hi,

About the routing part. Instead of using OSPF you might want to use the keepalive feature on the gre tunnel interface.
This way, you would use two static routes pointing through each tunnel interface with different metrics. When one tunnel goes down (keepalive no longer received) the backup interface would be the chosen one by the relevant static route.



Christophe

Please consider your environmental responsibility before printing this e-mail 



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Saturday, September 20, 2008 12:04 AM
To: 'Cisco-nsp'
Subject: [c-nsp] GRE over IPSec

I'm trying to figure out if a router can push a GRE tunnel over top of 
an IPSec tunnel that's originated on the same router, through an ASA 
terminating the other end of the IPSec tunnel and to another IOS router 
behind the ASA.  I've seen this done with an ASA at both sites in front 
of the local router but I've never seen it done with the router 
originating the IPsec tunnel.  Is this possible?  Any tips on how to 
accomplish this?  I'm thinking that the tunnel destination should be IOS 
router at the remote site which should also match the ACL for traffic to 
a given destination (the remote end of the tunnel).  I'm not sure what 
the order of operations would be though so I'm not sure if the GRE 
tunnel would end up in the IPSec tunnel.

I want to deploy 800-series wifi routers at remote sites (COs, large 
cabinets, etc) and have them VPN back to our HQ's ASAs and a second 
backup site.  I'd like to run a routing protocol out to them to give 
them 2 paths into our network over hte 2 tunnels, preferably OSPF in 
this case.  My thought was a simple pair of GRE tunnels through the 
IPSec tunnels.  I could always place an IOS router at the HQ and use it 
to terminate IPSec-encrypted GRE tunnels.  That would add more cost 
though.  I already have one at the backup site though.

Suggestions?  Thanks
  Justin


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 

__________ Information from ESET Smart Security, version of virus signature database 3479 (20080929) __________

The message was checked by ESET Smart Security.

http://www.eset.com
 
 

__________ Information from ESET Smart Security, version of virus signature database 3479 (20080929) __________

The message was checked by ESET Smart Security.

http://www.eset.com
 



More information about the cisco-nsp mailing list