Re: Site-to-Site ipsec with xauth

Thanks Brian!

Make a small loan, Make a big difference - Kiva.org
________________________________
 From: Brian McGahan <bmcgahan_at_ine.com>
To:
Dave Serra <maybeedave_at_yahoo.com>
Cc: "ccielab_at_groupstudy.com"
<ccielab_at_groupstudy.com>
Sent: Friday, September 6, 2013 6:22 PM
Subject: Re:
Site-to-Site ipsec with xauth
  

xauth is a hack that was put in to extend
IKEv1 for ezvpn. LAN to LAN IKEv1 doesn't support xauth. You'd need to run the
new IKEv2 (i.e. "FlexVPN") if you want this support.

With IKEv1 either you
have pre-shared keys or certificates for phase 1 authentication of LAN to
LAN.

Brian McGahan, 4 x CCIE #8593 (R&S/SP/SC/DC), CCDE #2013::13
bmcgahan_at_INE.com
 
Internetwork Expert, Inc.
http://www.ine.com/

On Sep 6,
2013, at 4:47 PM, "Dave Serra" <maybeedave_at_yahoo.com> wrote:

Hi Guys,
>
>We
currently have an EZVPN setup with ASA 5505s at the remote site
>and 5540s at
the head end. There is a requirement to convert this VPN to
>Site-to-Site as
"Direct Authentication" now needs to be turned on at the
>client side. We
still want to authenticate the remote ASAs using xauth but
>I'm being told
that this is not supported by tac. It may be because I am
>using a
dynamic-map rather then a pure site to site tunnel at the head end but
>I
would like to know what you guys think. I don't understand why one version
>of IKE (for EZVPN) would support xauth and another version for site-to-site
>tunnels would not.
>
>
>Any input is greatly appreciated.
>
>
>
>
>Make a
small
>loan, Make a big difference - Kiva.org
>
>
>________________________________
>
>
>Blogs and organic groups at
http://www.ccie.net/
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 06 2013 - 16:06:11 ART