ROUTE Notes – Branch Office Routing

Corrigeme, por favor.

Study Notes

  • What do IPSec tunnels give you when a branch office is on a broadband connection?

Privacy through encryption
Authentication of the remote peer through ISAKMP
Delivery of private data over the public Internet

  • What do you need to configure to get your branch router talking to the Internet?

ISP connection configuration such as PPPoE or PPPoA
DHCP server configuration for internal users
Firewall services like inspection and filtering

  • What kind of routes would you normally see on a small branch router with a single IPSec tunnel home?

You would usually just see a default route to the ISP; IPSec will intercept interesting traffic and take care of sending the packets home without having routes for home networks configured.

  • What’s a really easy way to get routes to fail from a WAN link to a GRE tunnel when the WAN link dies?

Floating static routes

  • What do GRE tunnels allow you to do that native IPSec tunnels don’t?

Run a routing protocol

  • Your DSL provider has given you a VPI/VCI of 1/50 to use on your branch router’s ATM 0/0 interface.  Show me the full configuration to get basic web surfing working (ignore DNS and DHCP).

interface ATM0/0
no ip address
pvc 1/50
encapsulation aal5mus ppp dialer
dialer pool-member 1
interface Dialer9
encapsulation ppp
ip address negotiated
dialer pool 1
ppp authentication chap callin
ppp chap password MYPASSWORD
ip nat outside
interface E0/0
ip add
ip nat inside
ip route Dialer9

  • For what would you use an ACL when configuring IPSec tunnels?

You define interesting traffic with ACLs.

  • What are the two basic configuration items in a crypto map for an IPSec tunnel?

Matching ACL
IPSec peer IP

Aaron Conaway

I shake my head around sometimes and see what falls out. That's what lands on these pages. If you have any questions, the best way to contact me is through Twitter at @aconaway.

More Posts

Follow Me:

2 comments for “ROUTE Notes – Branch Office Routing

  1. July 5, 2010 at 11:38 am

    #1: ISAKMP gives you authentication of remote peer, not of data. AH provides data authentication.

    #2: default route to the ISP and IPSec tunnel? #Fail … unless your definition of “IPSec tunnel” includes crypto maps.

    #3: you can run a routing protocol across an IPSec tunnel – just use VTI (read the IP Corner articles on IPSec, they offer a good generic coverage).

  2. July 5, 2010 at 3:06 pm

    Thanks as always, Ivan. Corrections made. My thought on the default route included configuring an old-school VPN tunnel with crypto maps configured on the outside interface; that means one default route to the ISP should do the trick. Believe it or not, though, the book actually mentions VTIs, but it’s only in passing as an alternative way to pass routing updates over the tunnel (along with DMVPN and GET VPN).

Leave a Reply

Your email address will not be published. Required fields are marked *