|
Author
|
Topic: GETVPN transport mode
|
amit007
Specialist
Member # 30519
Rate Member
|
posted May 03, 2011 05:59 AM
I saw somewhere in Yusuf Bhaiji lab the mode for the transform-set used for GETVPN is "mode transport".
It's always recommended to use tunnel mode for GETVPN. If we use same transform-set in GETVPN and DMVPN is there any problem.
Please suggest
Thanks
Amit
Posts: 50 | From: INDIA | Registered: Jan 2011
| IP: Logged
|
|
Parvees
Specialist
Member # 24144
Rate Member
|
posted May 03, 2011 07:28 AM
GETVPN even if provide the mode as transport , it will not work in transport mode.IPSEC proxy will be still shown as tunnel mode.
it is actually tunnel mode with address preservation . There is not concept of transport mode in GETVPN.
Moreover , transport is used when we have same IP address in inner and outer headers ,normally in the case of GRE tunnel with IPSEC protection .
in GETVPN we dont have such scenarios.
With regards,
Parvees M
Posts: 96 | From: Dubai | Registered: Dec 2007
| IP: Logged
|
|
amit007
Specialist
Member # 30519
Rate Member
|
posted May 03, 2011 09:10 AM
I am actually running this scenario between three routers and it is working. packet are encrypting and decrypting like all things are working with GETVPN transform-set as transport mode.
Regards
Amit
Posts: 50 | From: INDIA | Registered: Jan 2011
| IP: Logged
|
|
Parvees
Specialist
Member # 24144
Rate Member
|
posted May 03, 2011 09:17 AM
Amit,
It will work for sure if you look at show cry ipsec sa...in the GM's , I am sure you will be seeing it as "TUNNEL" mode , even if you are configuring it as transport mode in the KS
with regards,
Parvees
Posts: 96 | From: Dubai | Registered: Dec 2007
| IP: Logged
|
|
amit007
Specialist
Member # 30519
Rate Member
|
posted May 03, 2011 09:18 AM
GM1........KS.............GM2
traffic encrypting between GM to GM and it is showing as Transport.
Please advice it is wrong or right
Posts: 50 | From: INDIA | Registered: Jan 2011
| IP: Logged
|
|
Parvees
Specialist
Member # 24144
Rate Member
|
posted May 03, 2011 09:26 AM
Amit,
Can you paste the config and Output.
My understanding on this is gonna be wrong then.. it should never take it as transport mode :-)
it should be tunnel mode ( actually the mode is tunnel with address preservation)
:-)
Please paste it
with regards,
Parvees
Posts: 96 | From: Dubai | Registered: Dec 2007
| IP: Logged
|
|
|
|
Parvees
Specialist
Member # 24144
Rate Member
|
posted May 03, 2011 10:03 AM
Thanks Amit for raising it up.
So what i understand is,
Transport mode should be used only for Group Encrypted Transport VPN Mode (GM) to GM traffic and not for end to end host communication
Now this part is clear but why do we need this if in case we cant do any end to end communication possible through GETVPN .. the whole purpose of this vpn gonna be in vain then :-)
Am i right Amit?
With regards,
Parvees
Posts: 96 | From: Dubai | Registered: Dec 2007
| IP: Logged
|
|
theevilmuffin
I need a life
Member # 23191
Member Rated:
|
posted May 04, 2011 07:37 AM
Hi Parvees / Amit
I quickly knocked up a GET network with the transform-set as transport, then used some sneaky tactics to check the contents of the encrypted packets, my findings are...
Transport mode removes the encrypted IP header in the ESP packet (just like transport mode does), so the packet is 20 bytes smaller than a packet!
But... this is the crazy thing, I could still send traffic through a GM when running the crypto transform set as transport! This begs the Q, why use tunnel mode with header preservation, when we can use transport mode?
I'll do some more digging and get back to you.
Posts: 1065 | From: UK | Registered: Sep 2007
| IP: Logged
|
|
theevilmuffin
I need a life
Member # 23191
Member Rated:
|
posted May 04, 2011 07:47 AM
After doing some digging and speaking to Cisco;
IPsec also defines a transport mode for ESP that does not add a new IP header to the packet. Transport mode may be safely used in some IPsec applications, but fragmentation and reliability issues render it unsuitable for use with GET VPN.
Cisco have only endorsed tunnel mode. Transport mode (although possible)
has not been endorsed for a couple of reasons:
1. Fragmentation issues with transport mode
2. Non-conformance to RFC guidelines.
Posts: 1065 | From: UK | Registered: Sep 2007
| IP: Logged
|
|
Parvees
Specialist
Member # 24144
Rate Member
|
posted May 04, 2011 08:17 AM
GETVPN can work with transport mode , but it is restricted for GM to GM communication not any LAN behind the GMs
If you use the LAN behind GM , for IPSEC proxy ( acl in the KS) then it will only work in tunnel mode... Try giving the GM ips and then create a ipsec transform set and provide mode as transport.
with regards,
Parvees
Posts: 96 | From: Dubai | Registered: Dec 2007
| IP: Logged
|
|
theevilmuffin
I need a life
Member # 23191
Member Rated:
|
posted May 04, 2011 08:24 AM
quote:
Originally posted by Parvees:
GETVPN can work with transport mode , but it is restricted for GM to GM communication not any LAN behind the GMs
If you use the LAN behind GM , for IPSEC proxy ( acl in the KS) then it will only work in tunnel mode... Try giving the GM ips and then create a ipsec transform set and provide mode as transport.
with regards,
Parvees
Hi Parvees, I got it working for traffic going behind GM - behind GM in transport mode. I'm running 15.1(2)T2 on 2900s.
I must admit, I didn't know that this was possible, but like I also said - Cisco have confirmed it is, but it's not supported.
Posts: 1065 | From: UK | Registered: Sep 2007
| IP: Logged
|
|
Parvees
Specialist
Member # 24144
Rate Member
|
posted May 04, 2011 08:26 AM
May be they introduced in 15
But when i tried in 12.4T it simply didnt worked.
Posts: 96 | From: Dubai | Registered: Dec 2007
| IP: Logged
|
|
amit007
Specialist
Member # 30519
Rate Member
|
posted May 04, 2011 08:32 AM
Hi
It will work in 12.4 (10)
Thanks
Amit
Posts: 50 | From: INDIA | Registered: Jan 2011
| IP: Logged
|
|
theevilmuffin
I need a life
Member # 23191
Member Rated:
|
posted May 04, 2011 08:33 AM
quote:
Originally posted by Parvees:
May be they introduced in 15
But when i tried in 12.4T it simply didnt worked.
I've a vague memory of playing with it on 12.4.something, but it was a long time ago - I recall that when I called the ipsec profile in crypto gdoi, it cired about being in transport mode...
Posts: 1065 | From: UK | Registered: Sep 2007
| IP: Logged
|
|
Parvees
Specialist
Member # 24144
Rate Member
|
posted May 04, 2011 08:47 AM
Amit you mean to say end to end tunnel in GETVPN or GM to GM communication , works with transport mode?
Posts: 96 | From: Dubai | Registered: Dec 2007
| IP: Logged
|
|
amit007
Specialist
Member # 30519
Rate Member
|
posted May 04, 2011 09:59 AM
GM to GM communication
Posts: 50 | From: INDIA | Registered: Jan 2011
| IP: Logged
|
|
Parvees
Specialist
Member # 24144
Rate Member
|
posted May 04, 2011 10:40 AM
Ok that is possible .. even i agreed... But look at theevilmuffin post Hi Parvees, I got it working for traffic going behind GM - behind GM in transport mode. I'm running 15.1(2)T2 on 2900s.
This is what i said wont work with 12.4T.... only GM to GM communication is available.
with regards,
Parvees
Posts: 96 | From: Dubai | Registered: Dec 2007
| IP: Logged
|
|
theevilmuffin
I need a life
Member # 23191
Member Rated:
|
posted May 04, 2011 01:38 PM
quote:
Originally posted by Parvees:
This is what i said wont work with 12.4T.... only GM to GM communication is available.
with regards,
Parvees
Parvees
What version of 12.4T did you test? As I said my contact in Cisco said it's possible, so it could be that some versions of 12.4T work and some don't...
cheers
Posts: 1065 | From: UK | Registered: Sep 2007
| IP: Logged
|
|
Parvees
Specialist
Member # 24144
Rate Member
|
posted May 04, 2011 07:17 PM
12.4(15T)
Posts: 96 | From: Dubai | Registered: Dec 2007
| IP: Logged
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic