07-10-2014 04:25 AM - edited 02-21-2020 07:43 PM
I have to ask if someone have any literature about How to make L3VPN, and use IPsec to encrypt traffic between L3VPN end nodes.
Thank you.
Petar
Solved! Go to Solution.
07-11-2014 04:26 AM
Petar,
For CE CE we're typically recommend GETVPN, still IPsec with GDOI for control plane. It does encrypt the IP header, but it preserves the original header.
Vide:
http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/prod_presentation0900aecd80582031.pdf
slide 9.
M.
M.
07-11-2014 03:37 AM
Hi Petar,
I guess this is very typical kind of solution.... we can have l3vpn over GRE.... but you are looking for L3VPN over gre over ipsec, i guess it should not be an ideal solution to go with... but let me try if we can be able to do with...
Regards
Karthik
07-11-2014 03:52 AM
Maybe you didn't undersand me or maybe I asked wrong question. Situation is next:
I need to connect customers sites (L3VPN), and encrypt traffic between those sites with IPsec. Is it possible or is there some other solution?
Best regards,
Petar
07-11-2014 04:08 AM
Petar,
Are you talking about CE-CE or PE-PE encryption?
Are we talking about encryption of "last mile" or end to end?
Are we talking about encrypting customer traffic or links?
M.
07-11-2014 04:21 AM
Hi Marcin Latosiewicz and nkarthikeyan,
We are talkin about encrypting traffic between CE-CE routers, and encrypting customer traffic (just payload). In this case, I think, that we are not talking about IPsec tunnels, then we are talking about just about encryption of traffic (payload, not IP header).
Best regards,
Petar
07-11-2014 04:26 AM
Petar,
For CE CE we're typically recommend GETVPN, still IPsec with GDOI for control plane. It does encrypt the IP header, but it preserves the original header.
Vide:
http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/prod_presentation0900aecd80582031.pdf
slide 9.
M.
M.
07-11-2014 04:38 AM
Thank you Marcin Latosiewicz..I will try to do like this. I get the point.
Thank you both Marcin Latosiewicz and nkarthikeyan.
Best regards,
Petar
07-11-2014 04:09 AM
Hi Petar,
As per my knowledge we cannot do it. Eventhough i can see the related ietf record for the same. But in real time scenario we do not have the possible solution.
http://tools.ietf.org/html/draft-ietf-l3vpn-rfc2547bis-03
We can have the L3VPN using GRE tunnel. But am not sure we can have the IPSec protection for the same.
Regards
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide