[c-nsp] IOS/ASA VPN interop question
Gert Doering
gert at greenie.muc.de
Wed Oct 27 15:20:08 EDT 2010
Hi,
On Wed, Oct 27, 2010 at 11:40:33AM -0400, Tom Devries wrote:
> Reason I ask is in J series SRX "route-based" vpn the proxy ID's for
> local/remote/service will be zero'd by default, and also when there are
> multiple networks behind the SRX that need encryption.
Traditional IOS "crypto map" approach is that you get proxy IDs = Ph2 SAs
for every line in the match access list. So "0.0.0.0/0" is only achievable
with the trick mentioned (deny the rest, then permit 0.0.0.0 - which is
indeed a nice trick, never thought of that myself :) ).
On more recent IOS devices, you can use a crypto tunnel interface:
interface tunnel 10
tunnel mode ipsec ipv4
tunnel protection ipsec profile FOO
and from what I can read between the lines in the documentation, it
will then negotiate a 0.0.0.0 proxy ID:
http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html
(and then use the tunnel interface as a JunOS firewall would do)
Disclaimer: I have never actually used VTI tunnels.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20101027/d87c00bd/attachment.bin>
More information about the cisco-nsp
mailing list