SRX Services Gateway
Highlighted
SRX Services Gateway

Group VPN

‎06-09-2017 11:16 AM

i studied Group VPN and i have made a revision , but i dont get the idea of IP-preservation

 

How it is suppose to be an advantage . i think it is the opposite .

making every host in my LAN has its own public IP is a waste of IP addresses 

would someone please explain to me the advantage of IP preservation , can i overcome it by using NAT ??

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Group VPN

‎06-10-2017 12:03 AM

Hello,

 

IP Header preservation mitigates overlay routing. Because the IP header does not change, no additional routing need to taken into consideration.

 

Moreover end to end QoS capabilities and Multicast can preserved.

 

When there is no private network (like MPLS), IP preservation is definitely not a good idea.

 

Regards,

 

Rushi

Highlighted
SRX Services Gateway

Re: Group VPN

‎06-10-2017 10:47 AM

i have been working in a SP for a couple of months and i found that most companies and banks try Hard not to advertise their Local LAN IP addresses by the use of L2 VPN for example and i think all companies use NAT and will not assign Public IP addresses to the local Hosts right ??,  and i dont really see that advantage of making each host in my LAN have a public IP, that is a waste of IP addresses.

 

but what is the wrong with overlay routing ??

and why Group VPN is not good when dealing with non MPLS Network ???

Highlighted
SRX Services Gateway

Re: Group VPN

‎06-11-2017 09:37 AM

Hello,

 

No IP address changes. No extra IPs (NATed) to be routed. So existing routing is sufficient.

You can use Group VPN even in non MPLS network.

 

Regards,

 

Rushi

Highlighted
SRX Services Gateway

Re: Group VPN

‎06-11-2017 06:41 PM

I think it is the concept of the word preserve that is problematic. The word does not indicate saving IP address, but maintaining or keeping the same original IP address, hence the word preserve. And as indicated by the others who have responded, this is an explanation from the Juniper docs:

"The group members use the Encapsulating Security Payload (ESP) protocol in tunnel mode to secure the traffic. However, in Group VPN the tunnel mode is modified. Because there is no direct association between the group members, it is not necessary to use special IP addresses in the outer IP header (that is, IP addresses of IPsec gateways). Every group member can decrypt the traffic of every other group member. Thus, the inner IP-Header is copied to the outer IP-Header, and the underlying routing infrastructure and QoS infrastructure can be used. This feature is called Header Preservation."

The other thing is to look at this feature as one of many features to offer flexibility in different environments. So because this feauture is available, does not mean it should be considered for use and to find a way to use it. So in the environment where the devices are using Public Address and they wish to deploy VPNs in a mesh, this is suitable. In environments using NAT, IPSec VPN is suitable and so forth. When evaluating features, look at the environment first and what you need, then search for the feature to meet that goal. It would be a stress on the brain, to look at a feature first then try to formulate a plan to use it, or speculate how can I use this in my environment, and if it can't be used, then, as some have done, is to question the usefulness of such a feature and why can't it be modified to use in my environment. Not saying this is the case, but just expanding out on the logical follow up discussion.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Feedback