I agree except on terminology. As piotr mentioned the term VTI means you are running tunnel mode ipv4 ipsec. The minute you stop doing that technically you no longer have a VTI.
Simply changing the mode to tunnel mode gre ip makes it technically GRE over IPSEC and not a VTI. Changing it to tunnel mode ipip also means it is no longer a VTI even though it may look like one. An ipip tunnel with ipsec protection in transport mode essentially looks the same as a vti (tunnel mode ipsec ipv4) which is always only in tunnel mode On 2/18/12, Kingsley Charles <kingsley.char...@gmail.com> wrote: > VTI with IPSec mode, itself already puts the data in IP and thus it > supports multicast traffic. > > VTI with GRE uses GRE to encapsulate the data. > > Now, VTI with mode IPIP should do something very similar VTI with IPSec > mode. > > Use AH and wireshark to see how the actual payload is framed. Using > ESP will encrypt the packet. > > > With regards > Kings > > On Sat, Feb 18, 2012 at 11:52 AM, Joe Astorino > <joeastorino1...@gmail.com> wrote: >> I think I have an understanding of this now. Please correct me if I am >> wrong >> >> - VTI must be implemented using IPSEC tunnel mode per the >> documentation. Therefore, if you are implementing VTI your header >> stack looks like this: >> >> [IP_OUTSIDE][IPSEC][IP_INSIDE][L4 Header][DATA] >> >> - IPIP can be implemented with IPSEC in either transport or tunnel >> mode. In transport mode we have the following which is seemingly >> identica to VTI. The only difference is the VTI technically is using >> tunnel mode >> >> [IP_OUTSIDE][IPSEC][IP_INSIDE][L4 Header][DATA] >> >> - IPIP with IPSEC tunnel mode would look like this -- Notice the >> additional IP header >> >> [IP_OUTSIDE][IPSEC][IP_OUTSIDE][IP_INSIDE][L4 Header][DATA] >> >> >> >> >> On Sat, Feb 18, 2012 at 12:42 AM, Joe Astorino >> <joeastorino1...@gmail.com> wrote: >>> I love when I come up with answers to my own questions...best way to >>> learn! So I did learn tonight that VTI must be implemented using >>> IPSEC tunnel mode...so with that in mind it would be impossible to >>> have a VTI using transport mode like I had stated before in my >>> question >>> >>> Still, I am curious about IPIP with IPSEC vs VTI if anybody has some >>> input! >>> >>> On Sat, Feb 18, 2012 at 12:32 AM, Joe Astorino >>> <joeastorino1...@gmail.com> wrote: >>>> After realizing earlier today that I needed some refreshing on various >>>> IPSEC tunneling terms I came up with this interesting question I was >>>> hoping to get an answer for. I guess it is really 2 questions: >>>> >>>> 1) Can we use ipip tunnels (tunnel mode ipip) with IPSEC? Is it just >>>> a matter of setting the mode to ipip and then setting tunnel >>>> protection? Basically, this would be the same as configuring GRE over >>>> IPSEC on a tunnel interface except with IPIP instead of gre ip on the >>>> tunnel. I suppose you would save 4 bytes of overhead. >>>> >>>> 2) What would be the difference if any between IPIP over IPSEC >>>> transport mode and a VTI ? The way I am looking at it, the stack >>>> looks the same: >>>> [L2 header][Outside IP header][ESP/AH][Inside IP header][transport >>>> layer headers][data] >>>> >>>> In other words, is there any difference between the two >>>> configurations. Assume the phase 1 and phase 2 stuff is already >>>> configured and that we have specified IPSEC transport mode as opposed >>>> to tunnel mode >>>> >>>> Configuration 1 , IPIP over IPSEC >>>> ------------------------------------------------ >>>> >>>> interface Tunnel0 >>>> ip address 10.1.1.1 255.255.255.252 >>>> tunnel source Serial0 >>>> tunnel destination 192.168.2.1 >>>> tunnel mode ipip >>>> tunnel protection ipsec profile IPIP >>>> >>>> Configuration 2 , VTI >>>> ------------------------------------------------ >>>> >>>> interface Tunnel0 >>>> ip address 10.1.1.1 255.255.255.252 >>>> tunnel source Serial0 >>>> tunnel destination 192.168.2.1 >>>> tunnel mode ipv4 ipsec >>>> tunnel protection ipsec profile VTI >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> Joe Astorino >>>> CCIE #24347 >>>> http://astorinonetworks.com >>>> >>>> "He not busy being born is busy dying" - Dylan >>> >>> >>> >>> -- >>> Regards, >>> >>> Joe Astorino >>> CCIE #24347 >>> http://astorinonetworks.com >>> >>> "He not busy being born is busy dying" - Dylan >> >> >> >> -- >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com > -- Sent from my mobile device Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
