cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
0
Helpful
3
Replies

WAN routing + packet assembler/disassembler

b_lamine81
Level 1
Level 1

Hi,

In th HQ, I have a Cisco router connected to a security equipment (Crypto AG) that encrypt all the packet (including the header), the security equipment is connected to another Cisco router which is connected to IP/MPLS or Frame Relay Provider.

CISCO <---> SEC. EQUIPMENT <---> CISCO <---> PROVIDER

In the branch office, I have the same architecture.

Is there any why to make this architecture work (can ping from the 1st router in HQ to second router in branch office) ?

I was told that we can use PAD (packet assembler/disassembler) to communicate between the 2 routers in the same site

any advice will be helpfull.

thanks in advance.

Regards,

Lamine

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Lamine,

I think this kind of crypto devices are good only on dedicated links.

if they encrypt everything including the header how can the second router understand in which way to handle the resulting packet ?

An EoMPLS router could still try to forward the packet because it doesn't need to understand it but no ip routing is possible on a totally encrypted packet the ipv4 header should be left in clear text to be able to route it as it is done in the IPSec protocols with AH and ESP.

if instead you put the devices at the two ends of a dedicated link there is no problem traffic arrives decrypted at the destination router.

Hope to help

Giuseppe

Hi Giuseppe,

Many thanks for your reply.

But the problem is that the EoMPLS Router encapsulate a L2 frame received on an ingress interface, which is not the case. the router behind the Crypto device receive an ancrypted packets and it can't read the L2 header.

Regards,

Lamine

Hello Lamine,

what you say confirms my impression that you cannot have a router in the path between the two cypher devices.

if even the L2 header is encrypted these devices can interoperate only between them.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco