This item came to me this morning by way of a Vyatta user. It appears that Cisco will no longer support IPSec termination between the ASA and 3rd party devices. Yes, they'll still support IPSec. But not interoperability.
Cisco has long been the king of non-interoperable, proprietary protocols such as EIGRP, HSRP, Fast Etherchannel, etc. Typically, a standard, alternative protocol ends up being developed that solves similar problems and allows multi-vendor interoperability (OSPF, VRRP, 803.3ad, etc.). And the market typically forces Cisco to implement those standard protocols, though Cisco will always recommend installing the proprietary protocols when it comes to implementation time in order to lock-in customers and force them to pay its prices.
This behavior takes the cake, however. Cisco is essentially saying, "Yea, the product implements a standard VPN protocol, but we won't actually guarantee that or work with you to resolve any problems if you try to use that protocol with a 3rd party product. We'll only support you if you're using that standard protocol between two proprietary Cisco devices." Simply. Staggering. Now you can have all the lock-in of a proprietary protocol when you use a standard protocol. Congratulations, Cisco users.
For fun, let's project a couple of years into the future when this policy takes wider hold at Cisco. These are statements you can expect to hear from the Networking Experts™:
- "Yes, we implement Ethernet, but we'll only support you when you use it between Cisco devices."
- "Yes, we implement BGP, but we'll only support you when you use it between Cisco devices."
- "Yes, we implement the forwarding of IP datagrams, but we'll only support you if those datagrams have not been previously forwarded by a 3rd party product by the time they reach our product."
- "Yes, we implement SIP for VoIP traffic, but we'll only support you if it originates from a Cisco phone."
At Vyatta, we take interoperability seriously. We're not so arrogant as to think your entire network will only consist of Vyatta products. We'll actually help our products work with others in your network. In short, we're here to serve you, the user. Try Vyatta and enjoy IPSec interoperability with a multitude of other vendors. We can't guarantee that we'll work with every other vendor, but we can guarantee that we'll try, and we can guarantee that we'll work with more than just ourselves.
Update: It looks like Cisco got a bunch of bad press over this and edited its documentation. As adimcev points out in the comments, it now says, "Note: The ASA supports LAN-to-LAN IPsec connections with Cisco peers, and with third-party peers that comply with all relevant standards." That's better. I guess a little public flogging does get results.
Amazingly, Jamey Heary over at Network World's Cisco Subnet Blog carries Cisco's PR water and claims that it's all just a misunderstanding. Jamey writes, "Many of us, myself included, always interpreted the original quote in the way it was intended. So we didn’t ever think twice about it." Really? So where Cisco said, "ASAs support IPsec LAN-to-LAN VPNs with other Cisco peers. Because we adhere to VPN industry standards, ASAs may work with other vendors' peers in LAN-to-LAN VPNs; however, we do not support them," you always interpreted that to mean that they did support them and you claim that's what Cisco always meant? Really? Wow. Evidently, Jamey had access to an advanced English grammar and mind-reading class in school that I didn't.