IPSEC in private network

saimbt · ‎05-11-2006

Hi,

We are planning to enable IPSEC on private network. We have location A and location B and both the locations are connected using 2* 10 Mbps links. We have EIGRP running on them. We want to establish IPSEC between the routers.

I was wondering how to enable IPSEC tunnel so that traffic moving through both the 10 Mbps pipes would be excrypted. If I can get some sample config its higly appreciated.

-Sai.

amit-singh · ‎05-11-2006

Hi Sai,

Please see the link below:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

This will help you in setting up the ipsec site-site setup.

HTH, Please rate if it does.

-amit singh

saimbt · ‎05-12-2006

Hi Amit,

Thanks for the URL. My issue is we have 2* 10 Mbps link and we would like to encrypt all traffic flowing thorugh both the links.

-Sai.

amit-singh · ‎05-12-2006

Please paste your router config.

regards,

-amit singh

atif.awan · ‎05-12-2006

IPSec by its nature does not support running a routing protocol directly over it. There are many deployments that use GRE encrypted by IPSec for the purpose of running routing protocols like EIGRP and OSPF over IPSec. Your case seems similar. The following link provides an example of running EIGRP over GRE which in turn is encrypted via IPSec.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

Recently Cisco has come out with another feature that makes running routing protocols over IPSec a little simpler. This feature is called IPSec VTI (Virtual Tunnel Interface) and you can find additional information about it at the following URL:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper0900aecd8029d629.shtml

Depending on your exact topology there might not be any requirement to run a routing protocol but since you already mention that these sites run EIGRP I have assumed that you would like to extend EIGRP across the sites.

openipltd · ‎05-13-2006

I am very interested in you previous post with regard to running EIGRP over GRE and IPSEC. I have an issue where a customer has connections to his branch offices via an MPLS network and also Internet based VPN connections. However the connections at the branches do not support any dynamic routing protocols over the BT MPLS network.

If I can run GRE/IPSEC and then EIGRP I will be able to propogate routes across the network and in case of failure the data should swap to the vpn based link via another interface.

Does this sound feasible within an MPLS network. Are there any issues with running GRE or IPSEC over an MPLS network from British Telecom

atif.awan · ‎05-13-2006

I am not familiar with the BT MPLS solution. Just out of curiosity why are they not offering dynamic routing capability as it would seem to be a common requirement from most of L3 VPN customers?

You can run dynamic routing over GRE tunnels. If you think you require additional security then you can also use IPSec but I think you are not deploying any security mechanism currently so you probably do not need IPSec for the GRE tunnels over the MPLS cloud.

I think what you are trying to achieve is definitely doable as long as you give sufficient thought to the failover process between the MPLS connectivity and that provided by the VPN.

openipltd · ‎05-13-2006

Thanks for that. they do offer BGP but only on standard links not DSL based connectivity over the MPLS network. The vpn's will be based around Cisco kit as well and I intend to run them over GRE also so that both links are advertised around the network.

It is very limiting not having the option of dynamic routing on DSL cicruits but I know BT are planning on allowing BGP over DSL at some point but not in the near future. Anyhow doing it this way should allow us to have the network that the customer requires.

thanks for your input

Andy Starr