republican-creole
Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsJob BoardISP NewsFAQsForumsToolsMapsAbout 
 
   All FAQsSite FAQDSL FAQCable TechAbout DSLDistanceCLECSDSL Hurdles»»






how-to block ads



Search for: in all FAQs

All FAQs » Cisco Forum FAQ » 40.2 Security Sample Configurations » 14240

Private Routing over VPN: GRE over IP Sec (#14240)
Suggested prerequisite reading:
»Cisco Forum FAQ »Setting Up Private Site-To-Site Connections
»Cisco Forum FAQ »Between GRE/IPSEC and IPSEC VPN tunnels

When you need to broadcast private routing (dynamic routing protocols) over VPN, then in general you need to run GRE over IP Sec. Followings are the sample configurations.

Running OSPF

Configuring a GRE Tunnel over IPSec with OSPF

Running EIGRP

GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites

IPX Routing over GRE/IPSec

Configuring GRE and IPSec with IPX Routing
Configuring IPSec with EIGRP and IPX Using GRE Tunneling

Note:
The previous sample configurations assume both the GRE and IPSec VPN terminate at a router. When somehow the router IOS image feature only supports GRE tunnel and there will be a PIX Firewall in front of the router to establish the IPSec tunnel, then you can check out the following FAQ for illustrations.

»Cisco Forum FAQ »PAT/NAT Router/PIX passing through VPN tunnel

For full mesh site-to-site VPN with the above GRE over IPSec approach involving three sites or more, it is basically similar setup as the single site-to-site VPN between two sites. You just need to setup the tunnel one by one; between 1st and 2nd sites, between 1st and 3rd sites, between 2nd and 3rd sites, and so on.

DMVPN

When Cisco routers act as the VPN device at all sites, it is simpler and scalable to run DMVPN between routers instead the previous GRE over IPSec approach. With DMVPN, there will be no need to manually setup each tunnel for each connection between two sites. DMVPN will be "dynamically" setting up necessary tunnels.

Should you decide to run DMVPN, verify your router IOS image version support it. IOS image version with Advanced Enterprise (or probably Advanced IP Services) feature should support DMVPN.

Check out following links for more info on DMVPN.

Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs)
Configuring DMVPN Spoke Router in Full Mesh IPsec VPN Using SDM
Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall

New Feature on ASA or PIX Firewall running OS version 7.x or later

With new OS version, it is no longer requirement to encapsulate OSPF into GRE tunnel in order to pass it through IPSec VPN tunnel. By running OS version 7.x or later, ASA or PIX Firewall is now able to pass OSPF through IPSec VPN tunnel just like pass through GRE or any IP traffic. Check out the following link for sample configuration.

PIX/ASA 7.x and later: VPN/IPsec with OSPF Configuration Example

feedback form

by aryoba See Profile
last modified: 2008-07-14 11:11:33


Thursday, 21-Aug 21:10:18 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 9 years online! © 1999-2008 dslreports.com.