Re: VPN between Concentrator & Router

rdymek wrote:
One problem with redistribution is that your administrative distance is
no longer the same (although is configurable), and you are still
dependant on a static route somewhere in the scheme.

I actually recommend a slightly more complex solution using GRE
(although not too complex) but seems to work a lot better in my
opinion. Since IPSec tunnels don't support any routing protocols
you'll either have to use purely static routes, or redistribute static
routes from the concentrator on the inside. In either case, you're
still dependant on static routing being redistributed. Not to mention
the other end (the branch office) still doesn't have dynamic routing
with this option.

I find that a GRE tunnel does the trick. You'd have to make the VPN
router a GRE tunnel end point, and the 2800 router on the inside of the
concentrator a GRE end point. There is lots of documentation on
Cisco's site about using GRE. Some solutions you'll find piggyback on
the IPSec configuration, using the same end points as the IPSec end
points for GRE. This is fine if you are using two routers for IPSec,
but a concentrator does not support itself being a GRE end piont. So
when looking through various documentation, be aware that this is not
really GRE over IPSec, its completely independent from your IPSec
tunnel; however, does pass through the IPSec tunnel.

With GRE you can run OSPF, EIGRP or just about any other routing
protocol you may be using.

By doing this you can effectively send your routing protocol through
the IPSec tunnel -- this opens many doors that you just can't do with
static routing, even being redistributed. You can perform automatic
load balancing or any other features of your dynamic protocol you may
want to do - it could at this point be treated as if it were a regular
point-to-point office.

Ryan

Ryan,

Thanks for the response and to Merv as well in the earlier post.

I will re-work the config along these lines.

Regards

Darren
.

Relevant Pages

  • Re: VPN between Concentrator & Router
    ... One problem with redistribution is that your administrative distance is ... I actually recommend a slightly more complex solution using GRE ... Since IPSec tunnels don't support any routing protocols ...
    (comp.dcom.sys.cisco)
  • GRE over IPSec in ISA2004
    ... Is GRE over IPSec possible with ISA 2004? ... The ISA log consistently reports "Failed connection attempt" for the GRE ... This same scenario works fine through an IPSec tunnel between 2 plain Win2k ...
    (microsoft.public.isa)
  • Re: FreeBSD 6.3 gre and tracerouteo
    ... or looking at recent freebsd code: ... you receive an IPSec ESP packet, which gets decryped, that sets ... M_DECRYPTED on the mbuf passes through various parts, gets up to gre, ... "They that give up essential liberty to obtain temporary safety, ...
    (freebsd-net)
  • gre tunnel & ipsec transport mode
    ... I'm experimenting dynamic routing protocols in a vpn setup. ... So I've tried to use gre tunnels beetween lans and then protect them by ... ipsec transport mode beetween gateways. ... Each router has a gre tunnel to its peer and the associated network ...
    (freebsd-net)
  • [Full-disclosure] Cisco IOS GRE issue
    ... Cisco IOS ... Cisco Systems IOS contains a bug when parsing GRE packets ... A specially crafter GRE packet ... The resulting packet is reinjected in the routing ...
    (Full-Disclosure)