06-05-2017 07:08 AM - edited 03-11-2019 12:46 AM
Hi All,
Working on a trustsec design for a customer who's currently running site to site VPN between ASA 5500s. Do we have any validated design that i can use? any caveats? limitations?
Thanks,
Mark
Solved! Go to Solution.
06-07-2017 07:09 AM
Hi Mark,
The closest CVD we have is here http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Apr2016/User-to-DC_Access_Control_Using_TrustSec_Deployment_April… It does not however discuss straight IPsec. Actually configuration of same is very simple through the single command [crypto ikev2 cts sgt] and is documented here http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-mt/sec-usr-cts-15-mt-book/sec-cts-ips-tag.html
The one point to note is that a Cisco Meta Data Header (CMD) which is 8B long and follows the IPsec ESP/AH header and does require IKEv2. The CMD is an additional 8B of overhead which should be compensated for if adjusting MSS and for IP MTU.
06-06-2017 10:13 AM
Hi Mark,
I dont think of any caveats except the fact that SGT cannot be propagated if the ASA is running NAT. Other than that you should be good.
Thanks
Karthik
06-07-2017 07:09 AM
Hi Mark,
The closest CVD we have is here http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Apr2016/User-to-DC_Access_Control_Using_TrustSec_Deployment_April… It does not however discuss straight IPsec. Actually configuration of same is very simple through the single command [crypto ikev2 cts sgt] and is documented here http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-mt/sec-usr-cts-15-mt-book/sec-cts-ips-tag.html
The one point to note is that a Cisco Meta Data Header (CMD) which is 8B long and follows the IPsec ESP/AH header and does require IKEv2. The CMD is an additional 8B of overhead which should be compensated for if adjusting MSS and for IP MTU.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide