Where there will be stable IPSec stack in Cisco IOS?
I'm very sorry to say that I have very bad expertise with Cisco IOS support of IPSec. I have a customer running more than 250 Cisco routers with IPSec tunnels connected in some cases each to other. I have more than 1 year something like a CAP case, and for that time, we solve more than 6 very bad issues with Cisco IPSec, and we understand that there is no "situations that do not work" but one "situation that work", everything else is full of bugs.
In my customer we still have only 6 IPSec tunnels running (design was for more than 300 ted tunnels). I do not see any progress in IOS IPSec stability. I see that in new IOSes there was new IPSec features, but anyway, I can not get to them, because IKE negotiation is broken :)
The same thing is for Easy VPN support in IOS. Also there are problems in stability in simple IPSec peer-to-peer tunnels (without using GRE), if you have more than 6 tunnels, it will be very funny for you to see that is happen with IKE keepalives for the latest tunnels (IPSec tunnels are established, but IKE sessions are dropped). This is very bad security issue, no matter that IPSec tunnels works. If anybody don't think so, I can explain in details what is happen.
There are also IKE DoS problems in EVERY cisco ipsec running router. We have a case to proove it.
Also I have a notes about IPSec authentication implementation with certificates. It is very easy for everybody with physical access to the device to make a copy of the certificate and to authenticate with it from different BOX. There are few other security implementation issues, but I do not comment them. I simply ask where there will be available some stable IPSec implementation?
Re: Where there will be stable IPSec stack in Cisco IOS?
I am not positive of what version IOS you are running, but there are new versions of IOS out on Cisco's website whenever there are new features or problems that have been fixed. It would be best that you either get with TAC to see if there is a known issue or you get with your local sales representative to see if he has the answer you seek.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...