Hi, On Wed, Oct 27, 2010 at 11:40:33AM -0400, Tom Devries wrote: > Reason I ask is in J series SRX "route-based" vpn the proxy ID's for > local/remote/service will be zero'd by default, and also when there are > multiple networks behind the SRX that need encryption.
Traditional IOS "crypto map" approach is that you get proxy IDs = Ph2 SAs for every line in the match access list. So "0.0.0.0/0" is only achievable with the trick mentioned (deny the rest, then permit 0.0.0.0 - which is indeed a nice trick, never thought of that myself :) ). On more recent IOS devices, you can use a crypto tunnel interface: interface tunnel 10 tunnel mode ipsec ipv4 tunnel protection ipsec profile FOO and from what I can read between the lines in the documentation, it will then negotiate a 0.0.0.0 proxy ID: http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html (and then use the tunnel interface as a JunOS firewall would do) Disclaimer: I have never actually used VTI tunnels. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [email protected] fax: +49-89-35655025 [email protected]
pgpqpr7sVqUjg.pgp
Description: PGP signature
_______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
