Solved: SXP over S2S VPN

macayubi · ‎06-05-2017

Hi All,

Working on a trustsec design for a customer who's currently running site to site VPN between ASA 5500s. Do we have any validated design that i can use? any caveats? limitations?

Thanks,

Mark

mjessup · ‎06-07-2017

Hi Mark,

The closest CVD we have is here http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Apr2016/User-to-DC_Access_Control_Using_TrustSec_Deployment_April… It does not however discuss straight IPsec. Actually configuration of same is very simple through the single command [crypto ikev2 cts sgt] and is documented here http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-mt/sec-usr-cts-15-mt-book/sec-cts-ips-tag.html

The one point to note is that a Cisco Meta Data Header (CMD) which is 8B long and follows the IPsec ESP/AH header and does require IKEv2. The CMD is an additional 8B of overhead which should be compensated for if adjusting MSS and for IP MTU.

View solution in original post

kthumula · ‎06-06-2017

Hi Mark,

I dont think of any caveats except the fact that SGT cannot be propagated if the ASA is running NAT. Other than that you should be good.

Thanks

Karthik

mjessup · ‎06-07-2017

Hi Mark,

The closest CVD we have is here http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Apr2016/User-to-DC_Access_Control_Using_TrustSec_Deployment_April… It does not however discuss straight IPsec. Actually configuration of same is very simple through the single command [crypto ikev2 cts sgt] and is documented here http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-mt/sec-usr-cts-15-mt-book/sec-cts-ips-tag.html

The one point to note is that a Cisco Meta Data Header (CMD) which is 8B long and follows the IPsec ESP/AH header and does require IKEv2. The CMD is an additional 8B of overhead which should be compensated for if adjusting MSS and for IP MTU.