Suggested prerequisite reading: »Cisco Forum FAQ »Setting Up Private Site-To-Site Connections »Cisco Forum FAQ »Between GRE/IPSEC and IPSEC VPN tunnels
When you need to broadcast private routing (dynamic routing protocols) over VPN, then in general you need to run GRE over IP Sec. Followings are the sample configurations.
Running OSPF
Configuring a GRE Tunnel over IPSec with OSPF
Running EIGRP
GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites
IPX Routing over GRE/IPSec
Configuring GRE and IPSec with IPX Routing Configuring IPSec with EIGRP and IPX Using GRE Tunneling
Note: The previous sample configurations assume both the GRE and IPSec VPN terminate at a router. When somehow the router IOS image feature only supports GRE tunnel and there will be a PIX Firewall in front of the router to establish the IPSec tunnel, then you can check out the following FAQ for illustrations.
»Cisco Forum FAQ »PAT/NAT Router/PIX passing through VPN tunnel
For full mesh site-to-site VPN with the above GRE over IPSec approach involving three sites or more, it is basically similar setup as the single site-to-site VPN between two sites. You just need to setup the tunnel one by one; between 1st and 2nd sites, between 1st and 3rd sites, between 2nd and 3rd sites, and so on.
DMVPN
When Cisco routers act as the VPN device at all sites, it is simpler and scalable to run DMVPN between routers instead the previous GRE over IPSec approach. With DMVPN, there will be no need to manually setup each tunnel for each connection between two sites. DMVPN will be "dynamically" setting up necessary tunnels.
Should you decide to run DMVPN, verify your router IOS image version support it. IOS image version with Advanced Enterprise (or probably Advanced IP Services) feature should support DMVPN.
Check out following links for more info on DMVPN.
Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs) Configuring DMVPN Spoke Router in Full Mesh IPsec VPN Using SDM Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall
New Feature on ASA or PIX Firewall running OS version 7.x or later
With new OS version, it is no longer requirement to encapsulate OSPF into GRE tunnel in order to pass it through IPSec VPN tunnel. By running OS version 7.x or later, ASA or PIX Firewall is now able to pass OSPF through IPSec VPN tunnel just like pass through GRE or any IP traffic. Check out the following link for sample configuration.
PIX/ASA 7.x and later: VPN/IPsec with OSPF Configuration Example
feedback form
feedback form
by aryoba  last modified: 2008-07-14 11:11:33 |