[c-nsp] VTI VRF-Aware IPSEC Proxy IDs
Andrei Sabau
andrei.sabau at itps.ro
Tue Jun 11 08:48:53 EDT 2019
Hello all.
It has occured to while working with a couple of ISR’s that the Cisco implementation of the proxy ids is made superficially, as in the router usually does not care at all about the proxy ids. Except probably in policy-mode, but I’ve noticed it being disregarded in route-mode
The Quick Mode selectors are usually sent with the WAN IPs or the 0.0.0.0/0 depending on various configuration snippets. I’m not sure the relevancy if VRF-Aware IPSec is used but my assumption is that the invisible ACL “any any” is used, as per documentation.
However, it’s best to know that other vendors will not accept this behavior (such as PAN/Juniper) and it’s best to be aware and not waste 4 hours of time like me 😊
Cheers,
More information about the cisco-nsp
mailing list