Solved: VPN Interface basics question

1StopBloke · ‎11-27-2013

Hello,

I'm new to the world of VPNs and Tunnel interfaces so please bear with me. I have a couple of questions:

1. So the tunnel source is the source ip address of the tunnel packet and the destination the destination, right? So what do you need an IP address on the interface for? Just for pinging?

2. Why specify a loopback as tunnel source? Shouldn't it be the egress interface that the packet goes out to the remote peer on?

3. So when to use the tunnel is all based on routes you put in right? (and the actual IPSEC packets if you use IPSEC are the tunnel source/dest which wrap around the packet you're sending) As in you say if you want to get to X subnet then you put in a static route with the gateway as the tunnel interface?

4. How do these bad boys send multicast over IPSEC? Does it wrap any packet with a unicast IP packet then put it in IPSEC? Or does it use GRE and not say that?

Marcin Latosiewicz · ‎11-28-2013

Have a look at some more literature. IOS 15.2 onfiguraitong guide should be a good place to start, also CCIE/CCNP security materials.

1) You are creating a point to point (or multipoint) link. Is the IP address used in framerelay of GRE only used for pining? ;-) Your source/destination assumtpions are correct.

2) Loopbacks never go down. Another benefit of loopbacks is they are not using egress interfaces IP addressing, which sometimes can be used for redundancy. (i.e. send packets through two different links).

3) I think you're correct, although the sentance is a bit odd.

4) As you mentioned, if the packets are directed through the interface, they will be encapsulated. IPsec with logical interfaces in that sense does not make much of a decission. It will encapsulate mcast/unicast as long it's being pointed out that interface (at least in the case of VTI or GRE).

View solution in original post

Marcin Latosiewicz · ‎11-28-2013

Have a look at some more literature. IOS 15.2 onfiguraitong guide should be a good place to start, also CCIE/CCNP security materials.

1) You are creating a point to point (or multipoint) link. Is the IP address used in framerelay of GRE only used for pining? ;-) Your source/destination assumtpions are correct.

2) Loopbacks never go down. Another benefit of loopbacks is they are not using egress interfaces IP addressing, which sometimes can be used for redundancy. (i.e. send packets through two different links).

3) I think you're correct, although the sentance is a bit odd.

4) As you mentioned, if the packets are directed through the interface, they will be encapsulated. IPsec with logical interfaces in that sense does not make much of a decission. It will encapsulate mcast/unicast as long it's being pointed out that interface (at least in the case of VTI or GRE).

1StopBloke · ‎11-28-2013

Thanks!

On the first subject I'm pretty new to networking so I have no idea what the IP address of a frame relay or GRE tunnel is used for either.

Other than that you've answered everything!

Marcin Latosiewicz · ‎11-29-2013

To start with routing (mcast, unicast) ... protocol adjacancy establishment ... etc etc.

Like any other IP address it serves a purpose.