thanks boss! U r the man 'tyson' regards,
Kamran Shakil ITA NDC Operations Engineer MidEast Data Systems LLC Oman Cell: + 968 95804126 Office: + 968 24576640 http://www.mynameise.com/kamranshakil77 Confidentiality Warning: "This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system." -----Original Message----- From: Tyson Scott [mailto:[email protected]] Sent: Tue 12/14/2010 8:57 PM To: 'Vybhav Ramachandran'; Kamran Shakil; 'OSL Security' Subject: RE: [OSL | CCIE_Security] want confirmation plz.....dmvpn and getvpn... DMVPN transport mode is advised to remove the creation of an extra IP header that just adds to the header with no benefit. Are you sure about GetVPN and transport mode. My understanding is regardless of what you configure it will run tunnel mode. Here is a note from the GetVPN technote: GET VPN uses ESP in tunnel mode, <http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps 7180/white_paper_c11-471053.html#wp9000029> 1 which protects the entire data packet, as well as the IP header received by the VPN gateway. Tunnel mode processing adds a new IP header to the packet after ESP encapsulation. GET VPN uses a method of tunnel mode called "tunnel mode with address preservation" that copies the original source and destination from the inner IP header to the outer IP header (as shown in Figure 5). Note: IPsec also defines a transport mode for ESP that does not add a new IP header to the packet. Transport mode may be safely used in some IPsec applications, but fragmentation and reliability issues render it unsuitable for use with GET VPN. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Vybhav Ramachandran Sent: Tuesday, December 14, 2010 11:47 AM To: Kamran Shakil; OSL Security Subject: Re: [OSL | CCIE_Security] want confirmation plz.....dmvpn and getvpn... Hello Kamram, DMVPN can be configured using both Tunnel mode and Transport mode. However, using transport is advised because it supports Nat traversal. GETVPN also supports both transport and tunnel modes. However in Tunnel mode, GETVPN has a special feature called "IP header preservation" which basically Copies the inner IP header to the outer IP header. Cheers, TacACK _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
