WebTech

Get flash to fully experience Pearltrees

https://supportforums.cisco.com/thread/2174201#3747685

Hello Nicolas, Currently, VTI [ IPSEC mode] works only ipv4 over ipv4 / ipv6 over ipv6. Per RFC, in ikev2, we could have an overlay dual stack [ since we can have 2 TSi -TSr] but it's not yet implemented. A dual stack approach would consume more ressources than GRE [ which is available today].

ipsec vti ipv4 over ipv6 possible ?|2174201

VPN: Advantages of VTI configuration for IPSec tunnels.

History. Several years ago, while being new to security team in Brussels TAC, a case appeared in our queue that would change my view on IPSec VPN (and not only!). The problem description was quite clear - unable to go out through IPSec VPN to the internet when connected with Cisco VPN Client to a 1841 series router in full tunnel mode. Seems quite easy, right?

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2010/12/08/advantages-of-vti-configuration-for-ipsec-tunnels

IPv6 Implementation Guide, Cisco IOS Release 15.2M&T - Implementing IPsec in IPv6 Security [Cisco IOS 15.2M&T

Because IKE negotiations must be protected, each IKE negotiation begins by agreement of both peers on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations and mandates how the peers are authenticated. After the two peers agree upon a policy, the security parameters of the policy are identified by an SA established at each peer, and these SAs apply to all subsequent IKE traffic during the negotiation. You can configure multiple, prioritized policies on each peer--each with a different combination of parameter values. However, at least one of these policies must contain exactly the same encryption, hash, authentication, and Diffie-Hellman parameter values as one of the policies on the remote peer.