Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.
Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.
ASA and Static VTI – better late than never
Cisco recently has made a small step to improve ASA and has implemented logical tunnels, what means we got route based VPN! Really? Did we? Not so fast. Yes, we got route based VPN but still we have to add routes manually.
If I only knew that routing protocols are not supported through the tunnel, I wouldn’t lab this “feature” out. What for? It makes no sense, logical tunnels without routing protocols? I always thought this is the first reason that engineers implement them …
Anyway, the difference in configuration is that with VTI we have to create IPSEC policy and attache its to the Tunnel interface. Differently then in IOS, on a router where we configure “tunnel mode” we may only choose “ipsec ipv4” on the router we may also choose “gre” (one of the most desirable feature on ASA in congestion with DMVPN and NHRP … pie in the sky)
I have to admit, I tried to type “interface virtual-template” shyly in the hope we may implement Dynamic VTI what would be a nice progress … unnecessarily 🙂
crypto ikev1 policy 10
hash sha
authentication pre-share
group 5
lifetime 86400
encryption aes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key itbundle
crypto ipsec ikev1 transform-set TSET esp-3des esp-sha-hmac
crypto ipsec profile IPSEC-PROFILE
set ikev1 transform-set TSET
interface Tunnel0
nameif TUNNEL
ip address 10.0.0.1 255.255.255.0
tunnel source interface outside
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
route TUNNEL 192.168.2.0 255.255.255.0 10.0.0.2
ASAv2 configuration:
crypto ikev1 policy 10
hash sha
authentication pre-share
group 5
lifetime 86400
encryption aes
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key itbundle
crypto ipsec ikev1 transform-set TSET esp-3des esp-sha-hmac
crypto ipsec profile IPSEC-PROFILE
set ikev1 transform-set TSET
interface Tunnel0
nameif TUNNEL
ip address 10.0.0.2 255.255.255.0
tunnel source interface outside
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
route TUNNEL 192.168.1.0 255.255.255.0 10.0.0.1