My company has several site-to-site VPNs with different vendors. Everytime we add a new tunnel, we have to exchange parameters for phase 1 and phase 2 in order to make sure they match on this side. One of the options is Main mode vs Aggressive mode.
This got me to thinking about our branch offices that have 2901 routers and use IPSec over VTI to connect back to another router at HQ. From my understanding, there is no Main or Aggressive mode with IPSec over VTI, but I don't have a solid understanding as to why IPSec over VTI doesn't use them, but standard Site-toSite VPNs do.
Can someone explain to me why they typical Site-to-Site VPN, say between two businesses, use either Main or Aggressive mode; and IPSec over VTI doesn't ?
I feel like an idiot not knowing this because I've been doing Network Admin work for several years, and have a good amount of experience working with various types of VPNs. My thought is the site-to-site tunnels have to negotiate the parameters because the peers are each managed independently, and IPSec over VTI doesn't because they're statically configured on both peers and typically managed by the same party.
Am I on the right track here, or way off? Any insight would be greatly appreciated
No comments:
Post a Comment