Generic Routing Encapsulation Inside IPSec

2-7
Cisco IOS VPN Configuration Guide
OL-8336-01
Chapter 2 Network Design Considerations
Network Traffic Considerations
Cisco recommends using GRE tunnels with IPSec in tunnel mode to improve the flow of network traffic. 
IPSec in tunnel mode can be used as a tunneling protocol itself for unicast traffic, but not for multicast 
traffic. Multicast IPSec traffic requires a GRE tunnel, and that IPSec be used in either transport or tunnel 
mode. Cisco recommends using IPSec in tunnel mode for the best network traffic performance.
Changing these values increases the level of security; at the same time, however, it increases the 
processor overhead. The default behavior for SA rekeying is to base the new key in part on the old key 
to save processing resources. Perfect forward secrecy (PFS) generates a new key based on new seed 
material by carrying out a Diffie-Hellman (DH) exponentiation every time a new quick-mode (QM) SA 
needs new key generation. Again, this option increases the level of security but at the same time 
increases processor overhead. Cisco does not recommend changing the SA lifetimes or enabling PFS 
unless the sensitivity of the data mandates it. If you choose to change these values, make sure you include 
this variable when determining the network design. The strength of the Diffie-Hellman exponentiation 
is configurable; Groups 1 (768 bits), 2 (1024 bits), and 5 (1536 bits) are supported. Group 2 is 
recommended. 

Download 2,05 Mb.

Do'stlaringiz bilan baham: