Cisco IOS ZFW (Zone Based Firewall) and IPsec VTI

ROBERTO TACCON · ‎01-07-2010

Hi to all,

with IPSEC VTI how I can configure the phase 2 proxy-id ?

"The best part of the whole thing is NO CRYPTO MAPS"

HOW traffic is associated with a remote site ? using "ip route" static routes rather than mirrored ACLs ?

Need the configure the routing / the policy map ?

Following the configuration (Need to configure a VPN between host 10.1.1.1 host 192.168.1.35):

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

hash sha

group 2

lifetime 3600

!

crypto isakmp key 0 cisco address 1.1.1.1 no-xauth

crypto isakmp keepalive 10

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set ACI esp-aes 256 esp-sha-hmac

!

crypto ipsec profile VTI

description ** VPN IPSEC L2L to ACI **

set transform-set ACI

set pfs group2

set security-association lifetime seconds 28800

!

interface Tunnel2

description *** test VPN IPSEC with ACI

ip address 192.168.10.2 255.255.255.0

ip ospf mtu-ignore

zone-member security untrust

ip policy route-map ROUTING-POLICY-1.1.1.1

tunnel source 2.2.2.2

tunnel mode ipsec ipv4

tunnel destination 1.1.1.1

tunnel protection ipsec profile VTI

!

route-map ROUTING-POLICY-1.1.1.1 permit 10

match ip address 147

!

access-list 147 remark *** ACL VPN 1.1.1.1

access-list 147 permit ip host 10.1.1.1 host 192.168.1.35

!

ip route 192.168.1.35 255.255.255.255 Tunnel2

Joe B Danford · ‎01-08-2010

Static VTIs, which is what you are using on this router only supports an "ip any any" proxy id. You will not need to configure one here. Traffic is sent over the tunnel using routing protocols or static routes. The following route should be good enough

ip route 192.168.1.35 255.255.255.255 Tunnel2

If you are having problems configuring the tunnel than I would check the policy on the remote end. If they are not using SVTI or a ip any any proxy ID then this will not work.