ROUTE Notes – Branch Office Routing
Corrigeme, por favor.
- What do IPSec tunnels give you when a branch office is on a broadband connection?
Privacy through encryption
Authentication of the remote peer through ISAKMP
Delivery of private data over the public Internet
- What do you need to configure to get your branch router talking to the Internet?
ISP connection configuration such as PPPoE or PPPoA
DHCP server configuration for internal users
Firewall services like inspection and filtering
- What kind of routes would you normally see on a small branch router with a single IPSec tunnel home?
You would usually just see a default route to the ISP; IPSec will intercept interesting traffic and take care of sending the packets home without having routes for home networks configured.
- What’s a really easy way to get routes to fail from a WAN link to a GRE tunnel when the WAN link dies?
Floating static routes
- What do GRE tunnels allow you to do that native IPSec tunnels don’t?
Run a routing protocol
- Your DSL provider has given you a VPI/VCI of 1/50 to use on your branch router’s ATM 0/0 interface. Show me the full configuration to get basic web surfing working (ignore DNS and DHCP).
no ip address
encapsulation aal5mus ppp dialer
dialer pool-member 1
ip address negotiated
dialer pool 1
ppp authentication chap callin
ppp chap password MYPASSWORD
ip nat outside
ip add 192.168.1.1 255.255.255.0
ip nat inside
ip route 0.0.0.0 0.0.0.0 Dialer9
- For what would you use an ACL when configuring IPSec tunnels?
You define interesting traffic with ACLs.
- What are the two basic configuration items in a crypto map for an IPSec tunnel?
IPSec peer IP
- Netbox Upgrade Play-by-play - April 25, 2023
- Sending Slack Messages with Python - March 15, 2023
- Using Python Logging to Figure Out What You Did Wrong - February 26, 2023
#1: ISAKMP gives you authentication of remote peer, not of data. AH provides data authentication.
#2: default route to the ISP and IPSec tunnel? #Fail … unless your definition of “IPSec tunnel” includes crypto maps.
#3: you can run a routing protocol across an IPSec tunnel – just use VTI (read the IP Corner articles on IPSec, they offer a good generic coverage).
Thanks as always, Ivan. Corrections made. My thought on the default route included configuring an old-school VPN tunnel with crypto maps configured on the outside interface; that means one default route to the ISP should do the trick. Believe it or not, though, the book actually mentions VTIs, but it’s only in passing as an alternative way to pass routing updates over the tunnel (along with DMVPN and GET VPN).