I've inherited a Cisco Catalyst 6509 (Supervisor 720/MSFC3) running the Advanced IP Services feature set on IOS 12.2(33)SXJ6, a pair of IPSec SPAs and an FWSM running OS 4.1(5) and have been tasked with getting traditional policy-based IPSec VPNs up and running on it and (eventually) DMVPN.
Normally, this wouldn't be too much trouble, except that I'm running into what appear to be mutually-exclusive required features. The ISP uses media converters between the Catalyst and their switches and so we're using BFD for BGP fall-over because we can't count on the interface going down if they lose a router. Because BFD isn't supported on SVIs, the uplinks to the ISP are routed ports and everything is working.
Unfortunately, the SPAs only seem to support crypto maps on SVI interfaces, so my usual approach of putting the crypto map on the last hops before the ISP routers isn't going to work. We do have an external VLAN that has public addressing and is advertised out via BGP, but moving the crypto map to this interface doesn't trigger ISAKMP. This is probably because the VLAN isn't the last hop out.
I'm thinking that I can do something with local PBR or something similar to force the ISAKMP/IPSec traffic to the outside VLAN, but I'm a little bit lost with the way the SPAs are involved.
I'm not necessarily looking for a solution, but some educated input on the problem would be very much appreciated so that I can figure out what my next steps should be.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...