Hi guys,
I'm really interested to see what everyones opinion on this is.
My company currently uses what i would call traditional site to site VPN's using crypto maps, main site has a pair of ASA's in HA and remote sites use ISR's like 1801's.
I've recently been playing in my lab with GRE tunnels using IPSec protection (note this is config from my labs, so ip's and key's are just randomly selected)
[code:1]crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key oaWDS0HSJS0 address 18.4.27.2
!
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC_TUNNEL
set transform-set esp-aes256-sha
!
interface Tunnel13
ip address 10.0.0.1 255.255.255.252
tunnel source fa0/0
tunnel destination 18.4.27.2
tunnel protection ipsec profile IPSEC_TUNNEL[/code:1]
I've never really seen them in use before, but it seems pretty good to me, because you can put a routing protocol over it without any special modifications, plus you dont have the headache of "interesting traffic" ACL's
The only draw back for me is that ASA's dont support GRE tunnels, but i am looking at redesigning our enterprise edge, so i'm now thinking would it be worth replacing the ASA's with some high spec routers to handel VPN traffic.
what's anyones opinion on this?
Jamie Parks
Network Engineer, UK
