On Mon, Sep 21, 2009 at 7:23 PM, Kingsley Charles < [email protected]> wrote:
> Hi Tyson > > I have just put my understanding. Am I missing something? > > > With regards > Kings > > On Mon, Sep 21, 2009 at 6:07 PM, Tyson Scott <[email protected]>wrote: > >> Kingsley, >> >> >> >> Is this a question or statement? Not sure. >> >> >> >> Dnyaneshwar, >> >> >> >> As VTI is a re-design of legacy VPN all the security features of the older >> methodology are there but you just have new advantages. If you are familiar >> with the two, to be honest there is no reason not to use the newer >> methodology over the legacy in a production environment due to the >> simplicity of VTI’s. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S and Security >> >> Technical Instructor - IPexpert, Inc. >> >> >> Telephone: +1.810.326.1444 >> Cell: +1.248.504.7309 >> Fax: +1.810.454.0130 >> Mailto: [email protected] >> >> >> >> Join our free online support and peer group communities: >> http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> >> >> >> >> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >> Storage Lab Certifications. >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley >> Charles >> *Sent:* Monday, September 21, 2009 2:46 AM >> *To:* Dnyaneshwar Gore >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] IPSec Virtual Tunnel Interface >> queries >> >> >> >> Hi D.M.Gore >> >> >> >> It's like comparing Apples and Oranges. Both of them have their own >> advantages and dis-advantages. I do like to change the subject here - VTI Vs >> Physical Interface Based IPSec. >> >> >> >> Earlier, we just define a crypto map with interesting traffic, transform >> set and the peer. This is a static IPSec. >> >> >> >> With VTI, there are two types - Static VTIs (SVTI) and Dymanic VTIs >> (DVTI). >> >> >> >> >> >> SVTI - You use Tunnel interface in "IPSec mode". All you have to do, >> associate an IPSec profile. Any traffic routed through this interface is >> encrypted. This is static and point to point. The tunnel interface is >> sourced to a physical interface. >> >> >> >> SVTI is like site to site VPN, where the peers should be configured on >> both sides >> >> >> >> DVTI - You use virtual-templalte. This is dymamic. Virtual-access is >> created, when any traffic is routed through the interface. Usually, >> virtual-template is to the features. For VTI based EzVPN, the VTI is >> associated to the ISAKMP profile. >> >> >> >> DVTI is like dynamic crypto maps. One like is configured with peer >> configuration. Each dynamic peer connecting to the server, will have create >> a virtual-access. >> >> >> >> >> >> >> >> Based on the requirement, we need to decide which to take. >> >> >> >> >> >> >> >> With regards >> >> Kings >> >> On Mon, Sep 21, 2009 at 9:23 AM, Dnyaneshwar Gore < >> [email protected]> wrote: >> >> Hi, >> >> I could find following advantages of IPsec VTI over native IPSec VPN: >> >> - VPN session is applied on Tunnel interface and not on physical >> interface. This allows "always-on" VPN tunnel through multiple physical >> interfaces (multiple path). >> - IPSec VTI encryptes packets based on routing whereas native IPSec >> VPN does it base on complex access-list. >> - IPSec VTI supports unicast and multicast traffic such as OSPF or RIP >> packets. Hence dynamic routing adjancies can be achieved using IPSec VTI. >> This is not possible with Native IPSec VPN. >> - Interface features like QoS, NAT, Netflow and other security related >> features can be applied to Virtual Tunnel interface. >> >> My queries are : >> >> - Are there any limitations for IPsec VTI compare to native IPSec VPN? >> (One I could find is traffic filtering cannot be done as encryption done >> on >> routing basis.....is this correct?) >> - Is IPSec VTI is safe and strong enough as equal to native IPSec VPN? >> (As per my understanding it is as VTI uses transform set and IKE proposals >> same as in native IPSec VPN) >> - Will IPSec VTI work if intermidate device doing NAT? >> - What are ports used for establishing IPsec VTI between two peers? (I >> guess same as native IPSec VPN) >> >> >> Can we say IPsec VTI is best compare to native IPSec VPN and we can use it >> instead of native IPSec VPN? >> >> Regards, >> D.M.Gore >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
