Virtual interface or physical interface

techguy · ‎12-15-2014

Hi All,

Need your help select IPSce config in following environment

We are working in Joint venture. Two different companies are working under one banner. But one company's computers requires services from other company's server.

We are thinking to make site to site connection along with IPSec. Both sites have static public IP's.

Configuring Virtual Tunnel interface OR

Configuring Physical Interface OR

GRE Point to Point

mohseen patel · ‎12-15-2014

Hi Omer,

I would prefer VTI on GRE over IPSec . Although IPsec provides a secure method for tunneling data across an IP network, it has limitations. IPsec does not support IP broadcast or IP multicast, preventing the use of protocols that rely on these features, such as routing protocols. IPsec also does not support the use of multiprotocol traffic.
GRE is a protocol that can be used to “carry” other passenger protocols, such as IP broadcast or IP multicast, as well as non-IP protocols.
Vitual Tunnel Interfaces you can set them up with a profile that uses IPsec for transport and so the interface tu0 is treated like a usual IP interface that can also handle routing protocols.

However, different tunnel mode can apply different application. Here are some considerations for IPSec VTI. The IPsec VTI is limited to IP unicast and multicast traffic only, as opposed to GRE tunnels, which have a wider application for IPsec implementation. Thus, for some non-IP traffic, we still need IPSec over GRE.

Header related overhead is about same, However VTI is less CPU intensive. Well also matter what platfrom is part of solution.

Br.
Mohseen