IPSEC tunnels for LAN-to-LAN interop issue

["Waters, Stephen" <Stephen.Waters@cabletron.com>]

Hi,

An interop question for the folks out there that support LAN-to-LAN VPNs
with routing.

Network:

Head-end-------VPN tunnel 1------- remote site 1
        |
        -------VPN tunnel 2------- remote site 2
 
Assume these two VPN tunnels are carried (from the head-end) over the same
T1 connection to the Internet.
 
If I want to run RIP to both sites, these tunnels need to be treated as
genuine IP interface with the head-end device.
 
There are three models that can be used here (using the example of an
IP-inIP tunnel):
 
1) IP tunnel device tunnels packets, IPSEC then applies transport-mode
protection to the IP-in-IP packets as they leave.
 
2) IPSEC tunnel is modeled as an interface, and just negotiates tunnel mode
and exposes the resulting tunnel as an interface. This is akin to marrying
an SDP policy with an Interface.
 
3) IP tunnel device tunnels packets, IPSEC then applies tunnel mode
protection.
 
 
Option 3) seems wasteful since in most cases two identical header have been
added.
Option 1) is in the mould of L2TP tunnel protection and is a generalised way
to protect pre-tunneled data
Option 2) is mean and lean.
 
 
What I want to know is what folk are doing - so I can interop.  At the
moment, we are opting for 1), could easily to 3) and would need to do a
little tinkering to get 2) going.
 
Cheers, Steve.

---

Follow-Ups:

• Re: IPSEC tunnels for LAN-to-LAN interop issue
• From: Lars Eggert <larse@ISI.EDU>
• Re: IPSEC tunnels for LAN-to-LAN interop issue
• From: Stephen Kent <kent@bbn.com>
• Re: IPSEC tunnels for LAN-to-LAN interop issue
• From: Ricky Charlet <rcharlet@redcreek.com>

---

• Prev by Date: Re: FYI
• Next by Date: Re: IPSEC tunnels for LAN-to-LAN interop issue
• Prev by thread: Re: FYI
• Next by thread: Re: IPSEC tunnels for LAN-to-LAN interop issue
• Index(es):
  • Main
  • Thread