Solved: Re: A question on TED

m-menozzi · ‎09-18-2003

There is a question that I have in mind; I didn't find satisfactory answers except for a sample configuration about the necessity to configure dynamic crypto map on all routers involved in a IPSec dynamic session.

I mean, in a typical hub and spoke config I can have the hub configured with dynamic crypto map and the spokes configured with a static one toward the hub router.

In case I would apply TED on the hub router only the "discover" keyword is enough but do I need to change config also on the spokes (migrating to dynamic also with discover keyword ) ?

Thanks

Marco

gfullage · ‎09-19-2003

Can't say I've ever tested it, cause as i mentioned, it's not logical to do it that way. I guess you could try and see if it works, I don't think it would since the way the two endpoints find each other is with the use of TED Probe/Reply packets, and if you don't have TED enabled on the spokes then I severly doubt they'll reply to the TED Probe packet from the hub.

Why not just configure a dynamic crypto map on the hub and static on the spokes, this'll work fine as long as you don't need the tunnel to be initiated from the hub (which you probably do otherwise you wouldn't be going into all this :-) )

DMVPN is another good way to go, as you'll get the benefit of running a routing protocol over the tunnel which will help with spoke-spoke communication.

View solution in original post

gfullage · ‎09-18-2003

TED is only used with dynamic crypto maps. There's not any point in using TED if you're using a static tunnel, the two are contradictory to each other. TED is used to discover the peer dynamically, a static crypto map points straight to the peer.

m-menozzi · ‎09-19-2003

I understood this. So you mean that I cannot have the hub router using TED and the spoke router using a static toward the hub. Am I right ?

Marco

gfullage · ‎09-19-2003

Can't say I've ever tested it, cause as i mentioned, it's not logical to do it that way. I guess you could try and see if it works, I don't think it would since the way the two endpoints find each other is with the use of TED Probe/Reply packets, and if you don't have TED enabled on the spokes then I severly doubt they'll reply to the TED Probe packet from the hub.

Why not just configure a dynamic crypto map on the hub and static on the spokes, this'll work fine as long as you don't need the tunnel to be initiated from the hub (which you probably do otherwise you wouldn't be going into all this :-) )

DMVPN is another good way to go, as you'll get the benefit of running a routing protocol over the tunnel which will help with spoke-spoke communication.

NAVIN PARWAL · ‎09-20-2006

Excellent response, will surely respond to the post. I have a question on TED.

Doc says that it is used to reduce the overhead when you have a lot of IPSEC peers and would not like to specify peers on all.

My question is that how would a router know which router to send the probe to, to setup a IPSEC Tunnel.

Lets say I have a full mess of 100 routers which want to communicate with each other using IPSEC, I use ted and do not define isakmp endpoints, how do the routers know where to send the probe to(which router) to form SA.

Thanks