Advanced VPN Site-to-Site Connections - A Quick Overview in Pictures of Various Implementations from Different Vendors: GRE/IPsec, IPIP/IPsec, L2TP/IPsec, Cisco's SVTI and DMVPN

Let's analyze some data and see how it travels along the wire.

Assume that we have the scenario from Figure1. Two routers, one subnet behind each router, the routers are directly connected(192.168.50.0/24).

Actually if you wonder, the two routers are Cisco routers and not Vyatta VC4 machines. The reason behind this was to be able to take a look at Cisco's IPsec Static Virtual Tunnel Interfaces (SVTIs) and DMVPN.

Taking all the Wireshark captures using the same equipment will keep things contiguous. The only exception was the L2TP/IPsec site-to-site connection where I've used two ISA 2006 Firewalls.

Figure1: Scenario

In order to generate some traffic, I've used the ping command. So a host behind R1 (located on the 192.168.30.0/24 subnet) wants to reach a host behind R0 (located on the 192.168.10.0/24 subnet) and vice-versa. R0's external IP address is 192.168.50.1 and R1's external IP address is 192.168.50.2. As usually, we will capture traffic with our favourite protocol analyzer, Wireshark.

Read more...

Comments are closed