cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
287
Views
1
Helpful
2
Replies
Beginner

SXP over S2S VPN

Hi All,

Working on a trustsec design for a customer who's currently running site to site VPN between ASA 5500s. Do we have any validated design that i can use? any caveats? limitations?

Thanks,

Mark

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: SXP over S2S VPN

Hi Mark,

The closest CVD we have is here http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Apr2016/User-to-DC_Access_Control_Using_TrustSec_Deployment_April… It does not however discuss straight IPsec. Actually configuration of same is very simple through the single command [crypto ikev2 cts sgt] and is documented here  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-mt/sec-usr-cts-15-mt-book/sec-cts-ips-tag.html

The one point to note is that a Cisco Meta Data Header (CMD) which is 8B long and follows the IPsec ESP/AH header and does require IKEv2. The CMD is an additional 8B of overhead which should be compensated for if adjusting MSS and for IP MTU.

2 REPLIES 2
Highlighted
Cisco Employee

Re: SXP over S2S VPN

Hi Mark,

I dont think of any caveats except the fact that SGT cannot be propagated if the ASA is running NAT. Other than that you should be good.

Thanks

Karthik

Cisco Employee

Re: SXP over S2S VPN

Hi Mark,

The closest CVD we have is here http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Apr2016/User-to-DC_Access_Control_Using_TrustSec_Deployment_April… It does not however discuss straight IPsec. Actually configuration of same is very simple through the single command [crypto ikev2 cts sgt] and is documented here  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-mt/sec-usr-cts-15-mt-book/sec-cts-ips-tag.html

The one point to note is that a Cisco Meta Data Header (CMD) which is 8B long and follows the IPsec ESP/AH header and does require IKEv2. The CMD is an additional 8B of overhead which should be compensated for if adjusting MSS and for IP MTU.