[c-nsp] IOS/ASA VPN interop question

Wed Oct 27 16:49:28 EDT 2010

Good stuff Gert, I wasn't aware the VTI would use a null proxy id.  I
will have to give it a try.  Thanks!

-----Original Message-----
From: Gert Doering [mailto:gert at greenie.muc.de] 
Sent: October-27-10 3:20 PM
To: Tom Devries
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IOS/ASA VPN interop question

Hi,

On Wed, Oct 27, 2010 at 11:40:33AM -0400, Tom Devries wrote:
> Reason I ask is in J series SRX "route-based" vpn the proxy ID's for
> local/remote/service will be zero'd by default, and also when there
are
> multiple networks behind the SRX that need encryption.

Traditional IOS "crypto map" approach is that you get proxy IDs = Ph2
SAs
for every line in the match access list.  So "0.0.0.0/0" is only
achievable
with the trick mentioned (deny the rest, then permit 0.0.0.0 - which is
indeed a nice trick, never thought of that myself :) ).

On more recent IOS devices, you can use a crypto tunnel interface:

interface tunnel 10
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile FOO

and from what I can read between the lines in the documentation, it
will then negotiate a 0.0.0.0 proxy ID:

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_p
aper0900aecd8029d629_ps6635_Products_White_Paper.html

(and then use the tunnel interface as a JunOS firewall would do)

Disclaimer: I have never actually used VTI tunnels.

gert

-- 
USENET is *not* the non-clickable part of WWW!

//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
-------------- next part --------------

This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy.

Ce courriel (ainsi que ses pi?ces jointes) est confidentiel, exclusif, et peut faire l?objet de droit d?auteur et de privil?ge juridique; aucun droit connexe n?est exclu. Si vous n??tes pas le destinataire vis? ou son repr?sentant, toute ?tude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut ?tre ill?gale. Tous les messages peuvent ?tre surveill?s, selon les lois et r?glements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas s?curis?s et vous ?tes r?put?s avoir accept? tous les risques qui y sont li?s si vous choisissez de communiquer avec nous par ce moyen. Si vous avez re?u ce message par erreur, veuillez nous en aviser imm?diatement et supprimer ce courriel (ainsi que toutes ses pi?ces jointes) de tout ordinateur ou support de donn?es sans en imprimer une copie. 