Hello Joe, Back on the SNRS version , yes, there is a new IP header inserted on the packet, but is exactly the same as the first one So it would be like this:
[Original IP_Header] [ESP Header] [Original IP_Header] [Payload]. Based on the documents that I have, it was done this way in order to mitigate routing overlay and to preserve Qos and Multicast capabilities. Check the following doc http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf And look for: 1.2.2 Tunnel Header Preservation Mike > Date: Sun, 18 Mar 2012 18:01:25 -0400 > From: [email protected] > To: [email protected] > Subject: [OSL | CCIE_Security] GET VPN IPSEC Mode > > So, I'm a bit confused -- Just started reading about GET VPN and in > Yusuf's book "Network Security Technologies & Solutions" there is a > diagram that shows an IP packet after GET VPN encapsulation and it is > basically IPSEC transport mode as follows > > [IP Header] [ESP] [DATA] > > Then today I am reading the 12.4T configuration guide for GETVPN and > it contradicts this saying that it is actually TUNNEL mode but the > outer and inner IP headers are identical. See > http://www.cisco.com/en/US/i/100001-200000/170001-180000/170001-171000/170836.jpg > So they are saying it looks like this > > [IP Header2] [ESP] [IP Header 1] [ DATA] where both IP headers are > identical copies. Which is it? It seems from further research that > the DOC CD is correct, but I want to make sure. Further, if that IS > the case why in the world would they use a second IP header that is > identical in tunnel mode instead of just using IPSEC transport mode as > described in the book? > > Thanks everybody! > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
