Home » Security » ipsec over ipsec

So it turns out that you can’t pass one vpn using ipsec through another vpn using ipsec.  Why, well i’ve spent some time trying to figure this out the last few days and have discovered that they are taking each others packets apart.

VPN that use ipsec for a site to site connection encapsulate packets into udp packets.  These udp packets are then sent across the network to the other side where the receiving device unpacks the udp packet and then decrypts it.  Typically the carrier media that connects your two vpn devices is the internet.  But if your media connecting your two devices is a network that also uses a VPN you run into a major problem.  The carrier network will start to unpack your packets meant for the other side and start throwing icmp type 3 (Host Unreachable) errors back to the vpn device.

Now if you are using cisco routers for the carrier network fiber you can actually tell it that traffic from your vpn devices should be excluded from the vpn tunnel and instead be sent in clear.  This way those packets to the other side of the vpn and never get double encrypted, fragmented or any other bad ness.  A great article explaining crypto acls for Cisco routers is http://www.thebryantadvantage.com/CCNPCertificationBCRANExamVPNCryptoAccessLists.htm

Leave a Reply

Your email address will not be published.