Re: [fw-wiz] Conundrum - IGMP and IPSec

Either one will do the multicast. You can build GRE tunnels, which in
a source to receiver (i.e. star topology 4 hosts = 4 tunnels and the
1 source has 4 tunnels). You can do the same in a full mesh, but you
will have to build a tunnel for each receiver to each receiver (4
hosts = 32 tunnels). This is the old way. You will have to tunnel
the IGMP I believe over the VPN as it will not handle IGMP traffic. I
may be wrong on that.

Try these also:


On Jan 29, 2007, at 4:25 PM, Kurt Buff wrote:

Situation in the case is that we're implementing equipment that uses
multicast to talk between multiple instances of themselves - I'm not
clear yet whether there'll be a designated talker with multiple
listeners, or whether there'll be multiple talkers and multiple

I'm reading the doco now - thanks for the tip. This should provide me
with a running start.

I'll be interested in finding out whether I can use a layer3 switch at
each end to do this, or if I need edge routers to set this up.


On 1/28/07, Chris Myers <clmmacunix@xxxxxxxxxxx> wrote:
Hi Kurt,

I am not sure what you are exactly needing to use the IGMP
for, but
most firewall and vpn solutions can do what you want to do. It's a
matter of creating the right tunnels or forwarding the right ports
and protocols. Cisco is a solution, but Juniper can do it just as
well. It really depends on the implementation you are needing IGMP
for. IGMP is associated with multicast formats, so here is a Cisco
doc that should get you started.

Thank You,

On Jan 26, 2007, at 1:55 PM, Kurt Buff wrote:

Honorable Ones,

I've been handed the task of getting IGMP traffic between remote
offices, over an IPSec tunnel.

I have run into the apparently well-known issue of their not playing
nicely together, and was wondering if I could get recommendations on
making such a thing happen.

We're looking at upgrading/replacing our current hardware soon
so recommendations as to brands that would help support this
would be
useful, as would workarounds that don't require replacement of
hardware, as I believe that would broaden the choices I have when
I do

I'm stumped, not least because my network-fu is not up to the
standards of many on this list, and would really appreciate some
pointers in the right direction.

firewall-wizards mailing list

firewall-wizards mailing list