I have a setup with 2x ISR 2811s in the central site acting as static crypto map VPN peers and I have a single site with VPN Concentrator 3000.
The thing is that I cannot setup backup peer on VPN Concentrator unless I set it to originate-only.
Originate-only is fine, works for me, but answer-only is not available on 2811s for static crypto-map configurations. Cisco says this is irrelevant for static crypto-maps and applicable for the VTI only. So I ended up configuring VPN Concentrator as originate-only with two peers, the tunnel is up now, but I am just curios if there could be any potential issue with rekeying or someting else because ISR 2811s cannot maintain answer-only. Again if VPN Concentrator side is the intiator-only in terms of crypto-interesting traffic - this is ok for me.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...