From: Chuck Church (cchurch@xxxxxxxxxxxx)
Date: Sat Jun 16 2001 - 13:02:49 GMT-3
But if you're going to a client rather than another router, GRE wouldn't
have been an option anyway. But since I've done a lot of VPNs, maybe I can
help:
1. Early 12.0 releases of IPSec were buggy when I came down to the IPSec
and ISAKMP negotiation. Try using a later 12.0 or even 12.1. Avoid the T
versions.
2. Make sure that you use the correct client. There was a cutoff at
12.0.5. Up to 12.0.5, use the 1.0a client, over that use 1.1. See
http://www.cisco.com/cgi-bin/tablebuild.pl/vpnclient-crypto for info.
3. VPNs are processor and memory intensive. If your lower end routers are
low on memory (sh mem, sh buf) or the CPU is pegged, you're going to have
problems with ISAKMP.
Hope this helps,
Chuck
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
jhuston
Sent: Friday, June 15, 2001 12:40 PM
To: ccielab@groupstudy.com
Subject: RE: IPSec and GRE
It makes more sense to do it your way but, I've never had much luck with
smaller routers and Cisco's VPN secure client.
> -----Original Message-----
> From: Chuck Church [mailto:cchurch@MAGNACOM.com]
> Sent: Friday, June 15, 2001 11:29 AM
> To: Andrew G. Mason; ccielab@groupstudy.com
> Subject: RE: IPSec and GRE
>
>
> Andrew,
>
> If it's only IP and no routing protocols, it makes no
> sense to tunnel
> it in GRE. It's more overhead, more complexity, and like you
> said, not
> compatible with PIXs (or probably any other vendor's VPN
> product. I've
> always done IPSec tunnel mode for our customers, using all
> combinations of
> PIX, router, and the VPN concs.
>
> Chuck
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Andrew G. Mason
> Sent: Friday, June 15, 2001 3:15 AM
> To: Chuck Church; ccielab@groupstudy.com
> Subject: RE: IPSec and GRE
>
>
> Hi Chuck,
>
> I was just thinking of true IPSec for IP and not considering
> routing or any
> other services.
>
> I work for a rather large ISP in the UK and I implement IPSec
> daily. It just
> seems that every third-party we want to set up a VPN with
> goes for a GRE
> tunnel. I think this is out of a failure to understand how IPSec works
> rather for the benefits of the GRE tunnel. We provide the
> VPNs for back end
> access to hosted solutions, using static routes so I still
> cannot see the
> benefit of GRE in this situation.
>
> Also, it gets fun when third-parties try to configure a GRE
> tunnel to one of
> our PIXs :-)
>
>
> Andrew..
>
> -----Original Message-----
> From: Chuck Church [mailto:cchurch@MAGNACOM.com]
> Sent: 15 June 2001 00:25
> To: Andrew G. Mason; ccielab@groupstudy.com
> Subject: RE: IPSec and GRE
>
>
> If you want to tunnel a non-IP protocol, you need GRE. I
> think routing
> protocols need the simulated point-to-point functionality of
> a tunnel as
> well.
>
> Chuck
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Andrew G. Mason
> Sent: Thursday, June 14, 2001 6:40 PM
> To: ccielab@groupstudy.com
> Subject: IPSec and GRE
>
>
> Hi,
>
> I see quite a few posts and recommendations to use GRE
> tunnels with IPSec.
> This confuses me because IPSec performs tunnelling in its default
> configuration anyway so I cannot see any reason for
> tunnelling through a
> tunnel?
>
> Can anybody give a good reason to use a GRE tunnel instead of
> the default
> IPSec tunnel mode configuration?
>
> Cheers
>
>
> Andrew G. Mason
> CCIE #7144
> **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:24 GMT-3