cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
273
Views
0
Helpful
2
Replies
Ali Razavi
Beginner

Public IP Addresses on VT Interfaces

Hi everyone,

My company has a very large global network and we have decided to move from traditional crypto map site-to-site tunnels to VTI based IPSec tunnels.  In order to organize the numerous tunnels and the sites they correspond to, we have designed an IP scheme that includes addresses that might fall into the legal public range and which are not assigned to our company.  But we figured as long as we're not routing using those addresses and only using them for internal routing etc. we're good to go.  Moreover, the tunnels come up just find using these addresses.  However, I recently realized that some of these addresses are bing resolved by our devices to their legal fqdns.  So my question is does it really matter if we use public addresses on our virtual tunnel interfaces when the traffic is being encapsulated between two public endpoints any way?  A sample config is as follows:

Router 1

interface Tunnel1

ip address 192.170.171.1 255.255.255.252

tunnel source 70.x.x.x

tunnel destination 213.x.x.x

ip route 10.171.171.0 255.255.255.0 Tunnel1

Router 2

interface Tunnel2

ip address 192.170.171.2 255.255.255.252

tunnel source 213.x.x.x

tunnel destination 70.x.x.x

ip route 10.170.170.0 255.255.255.0 Tunnel2

Again, for our internal routing purposes, this setup has been working just fine.  It's just that the addresses interface addresses are being resolved to their public FQDN.  Note: 192.170.170.0/30 is not the actual address scheme we've been using.

Thanks in advance for your time

1 ACCEPTED SOLUTION

Accepted Solutions
cadet alain
Mentor

Hi,

personaly for security purposes I would never use a public IP for a VTI, what's the point anyway as they are not supposed to be reachable by the Internet.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

2 REPLIES 2
cadet alain
Mentor

Hi,

personaly for security purposes I would never use a public IP for a VTI, what's the point anyway as they are not supposed to be reachable by the Internet.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

What is your exact concern about security?