[vpn] RE: [FW-1] VPN with OSPF
Cardona, Alberto
alberto.cardona at cnacm.com
Thu Nov 1 13:59:27 EST 2001
Well here is some fun info I found on the internet discussing mulitcasts and
IKE
http://sunsite.dk/RFC/rfc/rfc2764.html (read section 3.1.4)
http://www.cc.gatech.edu/~judge/sec_mcast/ppframe.htm
http://www.tml.hut.fi/Opinnot/Tik-110.501/1995/multicast.html#intro
> -----Original Message-----
> From: Ekblad, Eric M
> Sent: Thursday, November 01, 2001 12:29 PM
> To: 'FW-1-MAILINGLIST at beethoven.us.checkpoint.com'
> Cc: Cardona, Alberto
> Subject: [FW-1] VPN with OSPF
>
> YES, YES.
>
> IPSec, by the IETF, will not carry multicasts and broadcasts.
>
> That is why routing protocols MUST be ENCAPSULATED in a GRE header BEFORE
> encapsulating again in ESP and encrypting. THE GRE header converts the
> multi/broad into a unicast. The overhead is not TOO bad (51-58 for ESP
> and 40? for the GRE header).
>
> The question is: can a Nokia appliance support GRE (virtual) interfaces?
> I do not know, myself. The Cisco handles this with an interface tunnel
> (this is a "virtual" interface inside of the same IPSec router).
>
> Cisco has this solution. It works. Disregard the IPX (IPX must also be
> GRE tunneled; IPSec = IP traffic ONLY!)
>
> http://www.cisco.com/warp/public/707/ipsec_gre.shtml
>
> DO NOT use 12.0 mid-range code. Also, TURN OFF route-caching (no ip
> route-cache). Many IOS defects are tied to this.
>
> Eric
>
>
> > Is anyone running site to site IPsec VPNs and using OSPF?
> > If so did you have to implement GRE?
> >
> >
> > Thanks
> >
> >
> AC
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list