Good stuff Gert, I wasn't aware the VTI would use a null proxy id. I will have to give it a try. Thanks!
-----Original Message----- From: Gert Doering [mailto:[email protected]] Sent: October-27-10 3:20 PM To: Tom Devries Cc: [email protected] Subject: Re: [c-nsp] IOS/ASA VPN interop question Hi, On Wed, Oct 27, 2010 at 11:40:33AM -0400, Tom Devries wrote: > Reason I ask is in J series SRX "route-based" vpn the proxy ID's for > local/remote/service will be zero'd by default, and also when there are > multiple networks behind the SRX that need encryption. Traditional IOS "crypto map" approach is that you get proxy IDs = Ph2 SAs for every line in the match access list. So "0.0.0.0/0" is only achievable with the trick mentioned (deny the rest, then permit 0.0.0.0 - which is indeed a nice trick, never thought of that myself :) ). On more recent IOS devices, you can use a crypto tunnel interface: interface tunnel 10 tunnel mode ipsec ipv4 tunnel protection ipsec profile FOO and from what I can read between the lines in the documentation, it will then negotiate a 0.0.0.0 proxy ID: http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_p aper0900aecd8029d629_ps6635_Products_White_Paper.html (and then use the tunnel interface as a JunOS firewall would do) Disclaimer: I have never actually used VTI tunnels. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [email protected] fax: +49-89-35655025 [email protected]
This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy. Ce courriel (ainsi que ses pièces jointes) est confidentiel, exclusif, et peut faire l’objet de droit d’auteur et de privilège juridique; aucun droit connexe n’est exclu. Si vous n’êtes pas le destinataire visé ou son représentant, toute étude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut être illégale. Tous les messages peuvent être surveillés, selon les lois et règlements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas sécurisés et vous êtes réputés avoir accepté tous les risques qui y sont liés si vous choisissez de communiquer avec nous par ce moyen. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et supprimer ce courriel (ainsi que toutes ses pièces jointes) de tout ordinateur ou support de données sans en imprimer une copie.
_______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
