See Below...
-----Original Message-----
From: Adam Quiggle [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 24, 2000 4:20 PM
To: Liwanag, Manolito; [EMAIL PROTECTED]
Subject: RE: GRE VS. IPSEc
Manolito,
At 01:44 PM 11/23/00, you wrote:
>Thanks for the detailed replied. BTW my first name is Manolito. No big
>deal. Take a look at my comments below when you have a minute....
>
>-----Original Message-----
>From: Adam Quiggle [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, November 23, 2000 1:13 PM
>To: Liwanag, Manolito; 'Cisco Group Study'
>Subject: Re: GRE VS. IPSEc
>
>
>1) Are there just two sites that need to be connected together?
> (i.e. are there plans for a large scale deployment?)
>
> >> Right now yes.. This remote branch that I want to connect to corporate
>is using ISDN to get to corporate and the Net. Recent expansion have
raised
>the number of ee to 40 and the bandwidth is now super saturated. I was
>planning on getting an ADSL connection to replace the ISDN. Basically I
>want that remote branch to access the internet locally - not to go through
>our PIX at the corporate site - but other network traffic to go through an
>IPSec tunnel to corporate.
What do you mean you have the number of ee to 40? What is ee?
Answer : Employees
It is easy to encrypt traffic destined for the corporate site and
let the other "Internet" traffic go directly to it, not through
the corporate site. Just make sure the access list used in your
crypto map only identifies traffic to the corporate office as
traffic to be encrypted. If you are talking about PC's that need
this functionality it is a little bit more difficult. Your VPN
client would have to support "split mode". I believe the Cisco
3000 VPN router (formerly Altiga) can support this type of behavior,
although I don't have the details as to how it works.
>2) Do you need encryption?
> >> Yes
>
>3) Do you need authentication?
>
> >> I think yes as well
>4) Do you need to protect against a replay attack?
>
> >> Yes
>5) Who are you protecting your data from?
>
> >> everyone that is not an employee
With regard to protecting your data, will you be transmitting
trade secrets? What would be the potential of having someone
intercept your messages? Don't use a shotgun to kill a mosquito.
>How about using IPSEc with GRE in it ? Any suggestions are very helpfull
>for me as I am new in this field. I have set up an IPsec tunnel to our
>other PIX in Australia and I figured that I could do the same for a 1605-R
>router to the corporate PIX.
There is nothing wrong with using IPSec to encrypt a GRE tunnel,
it is perfectly acceptable. The question is, do you want to spend
the time learning IPSec (this is a good thing) or do you just want
to get it done? Realize that the skills required to implement CET
are not quite 1/2 the skills/knowledge you need to implement IPSec
(in your particular instance). Also realize that you can get bogged
down in the details once you realize the features that can be deployed
with IPSec.
AQ
p.s. Sorry about the name. I did get it right this time. :-)
No worries Mate :D
Thank you very much for the feedback. I am using this small project to
learn a bit more about IPsec and GRE.
**************************************************
Adam Quiggle
Senior Network Engineer
MCI Worldcom/BP Amoco
[EMAIL PROTECTED]
**************************************************
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
