Hi Piotr I am pulling out an old topic.
When we use ipsec profiles with tunnel mode, the outer IP header and GRE's IP header will be always same. So both tunnel mode and transport mode for DMVPN should always be NAT-T aware. Please let me know, your thoughts. Snippet of your statement from this mail thread Starting from 12.4(6)T building spoke-to-spoke dynamic tunnels is supported to/from NAT translated spokes. Hub reports spoke’s outside NAT IP address back to spoke in NHRP Registration Reply message. It simply compares Main Part (M) "src NBMA" field in the NHRP Registration Request with GRE Source IP address from the GRE IP header. Note that the GRE IP header is ONLY available to NHRP if we are doing IPsec in transport mode (in tunnel mode the GRE IP header is encapsulated in ESP and new IPSec IP header is created). That's why transport mode is preferred. After that, spokes use remote spoke’s outside NAT IP address to build spoke-to-spoke tunnel. With regards Kinhs ---------- Forwarded message ---------- From: Piotr Matusiak <[email protected]> Date: Tue, Jun 1, 2010 at 2:49 PM Subject: Re: [OSL | CCIE_Security] DMVPN Transport mode doubt To: Vybhav Ramachandran <[email protected]> Cc: Kingsley Charles <[email protected]>, OSL Security < [email protected]> Gents, See that this way: Spoke wants to Register to the Hub. Spoke has no idea if there is a NAT in between. So, NHRP Registration Request is going to the Hub (after IPSec tunnel set up) and the Hub sees the NAT when receiving the packet. It must compare spoke's NBMA IP address with GRE IP Header and if they differ, it knows there is a NAT in between. Hence, Hub sends back to spoke NHRP Registration Reply with post-NAT IP address. Remember that NHRP works after IPSec tunnel set up so that it must be able to see GRE IP Header to understands what's the pre-NAT IP address of the spoke. What about PAT - the simply answer for that is: NHRP does not understands ports, so that two spokes behind the same NAT/PAT device cannot be translated to the same IP address. Regards, Piotr 2010/6/1 Vybhav Ramachandran <[email protected]> > Hello Kings, > > Yes , i agree that the Source and destination IP's of encrypted packets, > irrespective of tunnel/transport mode will be the same. > > With Tunnel mode, the packet will look like > > IP header of ESP + ESP + IP header of GRE + GRE + IP header of Payload + > Payload > > With transport mode , the packet will look like > > IP header of GRE + ESP+ GRE + IP header of Payload + Payload > > > I'm sorry if i'm not making much sense, i'm a little confused. I think i'll > understand if i get the packet formats correct :) > > Cheers, > TacACK >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
