87
routing protocols, e.g. OSPF or EIGRP, etc. When the center router loses efficacy, a backup router
can be used to replace the center router to manage the routing between branches.
There maybe a fundamental problem between the IPSec tunnel and dynamic routing protocol, i.e.
the dynamic routing protocol relies on multicast or broadcast packet to provide routing reachability
notice, while IPSec tunnel does not support multicast or broadcast packet for encryption. The way
to solve this problem is using the combination of Generic Routing Encapsulation (GRE) tunnel and
IPSec encryption.
Generic Routing Encapsulation (GRE) is defined in RFC 2784 by IETF. It is a protocol on
encapsulation of an arbitrary other network layer protocol on an arbitrary network layer protocol.
Generally, the effective load is encapsulated in a GRE package and then the GRE package will be
encapsulated in another protocol for forwarding.
GRE tunnel supports the carriage of multicast or broadcast packets to the opposite terminal, while
the data package of GRE tunnel is unicast. Therefore, the data package of GRE tunnel can be
encrypted by IPSec, i.e. GRE Over IPSec. In this process, GRE is used to establish a tunnel and
IPSec accomplishes the encryption section of VPN network. In establishing GRE tunnel, one end of
the tunnel must know the IP address of the other end, and must be able to route on the Internet. It
means that the center and all branch routers must have a static public IP address.
For branch structures with smaller size, the cost of applying to ISP for a static IP address is very
high. For either ADSL or direct cable access, ISP usually uses DHCP to provide dynamic IP
address, to save address resources.
The realization of dynamic routing protocols on IPSec VPN requires the support of GRE tunnel; to
achieve GRE tunnel, all nodes need a static public address, while it is very difficult for all nodes to
apply for a static IP address.
All of the above limitations can be summarized as the following four points:
1. IPSec uses access control list (ACL) to decide what data to be encrypted. Therefore, each
additional network connection requires updating the configuration of ACL on the center and
branch routers. If the routers are managed by the service provider, users must inform the
service provider to update IPSec ACL configuration, so that the new communication can be
encrypted.
2. In large hub-and-spoke network, the IPSec ACL configuration of the center router will be
very large and complex, and even unavailable. For example, in order to manage 300 branch
routers, 3,900 lines of configuration may be required on the center router, which is too large
to conduct troubleshooting. Such a configuration may not be able to be fully loaded into the
memory of the router and has be placed in the flash memory.
3. GRE + IPSec needs to explicitly know the IP addresses of both ends of the tunnel, wile the
IP address of branch routers’ external network interface is usually provided by the local ISP
dynamic and the IP address changes every time.
4. If direct communication between branches is required to be conducted through IPSec VPN,
the hub-and-spoke network must be changed into a full-mesh structure. Since it is unable to
determine which branches need to communicate directly through IPSec VPN, it is required
To Next Page
Loading...
