Hi Sadiq.
If it's just plain IPSEC, I doubt that you can use asymmetric
transform sets..
Basically in the Phase2 negotation, the first transformset is offered
(or both) to the peer. The peer lists its transform sets and selects
the first one that matches. Comparible with the ISAKMP phase 1
policies..
However.. If you would not use ISAKMP, but manual keying, you might
have something. But if I remember correctly, with a VPN everything
must match at both sites, PFS, DH, access-list (with the exception of
one peer trying to connect to the other which has a super-set acl
configured)
How would that go with rekeying? And what if the acl consist of more
than one entry. My guess, also for the hardware acceleration is that
the crypto map only uses one transform set for both inbound and
outbound spi's. If you do a debug crypto isakmp you can see that. The
only thing that is different between the two sa's is the key, and
where it is generated. DH makes sure that the dynamic symmetric key is
not sent over the wire...
Pieter-Jan
On 21 mei 2009, at 15:42, Sadiq Yakasai wrote:
> Guys,
>
> So, I think i'm spending too much time in the books and theories,
> but I
> gather that its possible to configure different transform sets for
> the Phase
> 2 SA's ( inbound vs outbound)...with repect to the tunnel endpoints.
>
> So is this really possible? First try didnt go successful, but
> looking at it
> again, I have a few doubts that might need clearing up.
>
> So in total, on each peer, how many transform sets do I need (if this
> convolution is even possible to begin with)? 2 on each side (while
> swapping
> the ordering of how they are bound to the crypto map?) thereby
> making them
> asymetric sort of?
>
> Thanks in advance as usual,
> Sadiq
>
> --
> CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Thu May 21 2009 - 19:38:47 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:43 ART