Re: VPN confusions

swapneswar panda · ‎03-18-2011

Hi Folks,

ihave some confusions in between GRE over ipsec and Static VTI.

What is the different between these two ?

Any info is highly appreciable.

Thanks

swapneswar

Federico Coto Fajardo · ‎03-18-2011

Hi,

I think the main difference is that the IPsec VTI is limited to IP unicast and multicast traffic only, as opposed to GRE tunnels, which have a wider application for IPsec implementation.

Hope it helps.

Federico.

swapneswar panda · ‎03-19-2011

Hey,

Even we are also running routing protocols in static VTI.If this is the case, does it look any difference of unicast and multicast ?

Please explain me a bit more.I am still confused..Do u have any document or URLs to refer ?

Thanks

swapneswar

Federico Coto Fajardo · ‎03-21-2011

Hi,

Regular IPsec tunnels are only capable of transporting IP unicast traffic.

This is a problem when you want to pass routing protocols through the tunnel like OSPF or EIGRP for example.

Static VTI is a way to be able to pass multicast traffic through the tunnel using IPsec (hence use OSPF or EIGRP).

When you need to pass non-IP traffic like AppleTalk or IPX or virtually any other thing you can use GRE.

GRE encapsulates any packet in a unicast GRE packet (IP protocol 47) and therefore IPsec is able to encrypt it and pass it through the tunnel.

When using IPsec/GRE, IPsec is not aware of the protocols being transferred by GRE, as it's aware only of encrypting GRE packets.

Normally, you want to use only IPsec encryption (not encapsulation), as the encapsulation is been done by GRE and you want to avoid uneccessary overhead.

Hope it helps.

More info:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

Federico.