Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] VPN with OSPF

To: [email protected]
Subject: [FW-1] VPN with OSPF
From: "Ekblad, Eric M" <[email protected]>
Date: Thu, 1 Nov 2001 11:28:40 -0600
Comments: cc: "Cardona, Alberto" <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

YES, YES.

IPSec, by the IETF, will not carry multicasts and broadcasts.

That is why routing protocols MUST be ENCAPSULATED in a GRE header BEFORE
encapsulating again in ESP and encrypting.  THE GRE header converts the
multi/broad into a unicast.  The overhead is not TOO bad (51-58 for ESP and
40? for the GRE header).

The question is: can a Nokia appliance support GRE (virtual) interfaces?  I
do not know, myself.  The Cisco handles this with an interface tunnel (this
is a "virtual" interface inside of the same IPSec router).

Cisco has this solution.  It works.  Disregard the IPX (IPX must also be GRE
tunneled; IPSec = IP traffic ONLY!)

http://www.cisco.com/warp/public/707/ipsec_gre.shtml

DO NOT use 12.0 mid-range code.  Also, TURN OFF route-caching (no ip
route-cache).  Many IOS defects are tied to this.

Eric


> Is anyone running site to site IPsec VPNs and using OSPF?
> If so did you have to implement GRE?
>
>
> Thanks
>
>
AC

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Prev by Date: Re: [FW-1] comparison between Pix and FW-1
Next by Date: Re: [FW-1] Automatic Saving of Log Files
Previous by thread: [FW-1] No answer from firewall
Next by thread: Re: [FW-1] VPN with OSPF
Index(es):
- Date
- Thread