Friday, January 01, 2010

EZVPN with certificates. part3

In my previous post I used certificate maps rather then using match identity groups. Why?

I could have easily used "match identity group LAB" as you can see in debugs from previous post, but I prefer not to. Certificate maps are here to stay they offer much more flexibility then static matching.

Here's some background why you might want to consider using cert maps in production.

As of IOS 12.4(20)T (including and everything above) some connection - like L2L tunnels from example stopped sending Unity VID. So what? So, match identity group will not work in this case, it's only being used in case of ezvpn - where unity tag is set. Where is this documented? It's not, but feel free to check your debugs :)

A thought on virtual templates if you're not using them, you should start moving your setup to this. Cisco will be making this THE ezvpn setup (for both client and server). It offer hugle flexibility improvements and fixes some of the shortcomings of legacy configurations (NAT, firewall, access-lists), plus all other remote access methods (L2TP, PPTP and yes recently even webvpn) are using it already 
Virtual-template ezvpn setup is referenced as DVTI, while tunnel interfaces with "tunnel mode ipsec ipv4" is called SVTI - just in case you have to work with Cisco TAC.

No comments: