https://community.cisco.com/t5/network-access-control/sxp-over-s2s-vpn/m-p/3459513#M491779 <HTML><HEAD></HEAD><BODY><P>Hi Mark,</P><P></P><P>I dont think of any caveats except the fact that SGT cannot be propagated if the ASA is running NAT. Other than that you should be good.</P><P></P><P>Thanks</P><P>Karthik</P></BODY></HTML> Tue, 06 Jun 2017 17:13:03 GMT kthumula 2017-06-06T17:13:03Z https://community.cisco.com/t5/network-access-control/sxp-over-s2s-vpn/m-p/3459512#M491773 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>Working on a trustsec design for a customer who's currently running site to site VPN between ASA 5500s. Do we have any validated design that i can use? any caveats? limitations?</P><P></P><P>Thanks,</P><P></P><P>Mark</P></BODY></HTML> Mon, 11 Mar 2019 07:46:07 GMT https://community.cisco.com/t5/network-access-control/sxp-over-s2s-vpn/m-p/3459512#M491773 macayubi 2019-03-11T07:46:07Z https://community.cisco.com/t5/network-access-control/sxp-over-s2s-vpn/m-p/3459513#M491779 <HTML><HEAD></HEAD><BODY><P>Hi Mark,</P><P></P><P>I dont think of any caveats except the fact that SGT cannot be propagated if the ASA is running NAT. Other than that you should be good.</P><P></P><P>Thanks</P><P>Karthik</P></BODY></HTML> Tue, 06 Jun 2017 17:13:03 GMT https://community.cisco.com/t5/network-access-control/sxp-over-s2s-vpn/m-p/3459513#M491779 kthumula 2017-06-06T17:13:03Z https://community.cisco.com/t5/network-access-control/sxp-over-s2s-vpn/m-p/3459514#M491787 <HTML><HEAD></HEAD><BODY><P>Hi Mark,</P><P></P><P>The closest CVD we have is here <A href="http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Apr2016/User-to-DC_Access_Control_Using_TrustSec_Deployment_April2016.pdf" title="http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Apr2016/User-to-DC_Access_Control_Using_TrustSec_Deployment_April2016.pdf">http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Apr2016/User-to-DC_Access_Control_Using_TrustSec_Deployment_April…</A> It does not however discuss straight IPsec. Actually configuration of same is very simple through the single command [crypto ikev2 cts sgt] and is documented here&nbsp; <A href="http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-mt/sec-usr-cts-15-mt-book/sec-cts-ips-tag.html" title="http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-mt/sec-usr-cts-15-mt-book/sec-cts-ips-tag.html">http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-mt/sec-usr-cts-15-mt-book/sec-cts-ips-tag.html</A></P><P></P><P>The one point to note is that a Cisco Meta Data Header (CMD) which is 8B long and follows the IPsec ESP/AH header and does require IKEv2. The CMD is an additional 8B of overhead which should be compensated for if adjusting MSS and for IP MTU.</P></BODY></HTML> Wed, 07 Jun 2017 14:09:45 GMT https://community.cisco.com/t5/network-access-control/sxp-over-s2s-vpn/m-p/3459514#M491787 mjessup 2017-06-07T14:09:45Z