Configuring IPSec Tunnel End-Point Discovery (Cisco Systems)!--- Defines a dynamic crypto map to use for establishing IPsec SAs.Tunnel End-Point Discovery (TED) is a Cisco IOS Software feature which allows routers to automatically discover IP Security (IPsec) endpoints. The deployment of IPsec with Internet Key Exchange (IKE) requires the configuration of a crypto map for every peer which identifies the endpoint to which a secure tunnel is to be established. This approach does not scale well when there are many peers to which tunnels are to be established. Dynamic crypto maps simplify such a scenario by automatically determining the IPsec peer. This only works on routers that receive IKE requests. TED allows routers that initiate and receive IKE requests to dynamically discover the IPsec tunnel endpoint.
crypto dynamic-map ted-map 10
set transform-set ted-transforms
match address 101
!
!
!--- The 'discover' keyword used with the dynamic crypto map
!--- enables peer discovery.
crypto map tedtag 10 ipsec-isakmp dynamic ted-map discover
!
TED uses a discovery probe which is a special IKE packet sent from the initiating peer towards the destination network or host that the original traffic was destined to. Since TED probes use the addresses of the protected entities, the addresses must be globally routable. TED does not work if Network Address Translation (NAT) is involved.
Downloads:
Configuring IPSec Tunnel End-Point Discovery (pdf)
No comments:
Post a Comment