topic Re: FTD Route based VPN in Network Security

FTD Route based VPN

N3om — Fri, 10 May 2024 08:09:55 GMT

I have created the VTI Interface for this but when I run packet tracer input the VTI I nterface is not in the list of available interfaces to use in packet tracer.??

Any ideas anyone
Thanks

Re: FTD Route based VPN

MHM Cisco World — Fri, 10 May 2024 08:48:26 GMT

Wierd

Anyway you can use Inside interface in packet tracer fer and the route lookup must poiny to VTI

MHM

Re: FTD Route based VPN

N3om — Fri, 10 May 2024 08:52:15 GMT

Hi
when I run packet tracer from inside to the subnet at the peer side in the results its ok it says inside to vti, but when i run in other direction I only see outside and inside interface, so i cant do packet tracer from vti to inside.??

Thanks

Re: FTD Route based VPN

MHM Cisco World — Fri, 10 May 2024 08:57:58 GMT

Yes, when I test policy based VPN I do two direction

But since nameif of VTI is not appear in packet tracer you have only one direction test.

But as You mentioned when you use Inside the packet tracer is all UP and allow so the VTI is OK.

Or Do you have issue in VTI and you need to test other direction?

MHM

Re: FTD Route based VPN

N3om — Fri, 10 May 2024 10:32:29 GMT

Hello

The Customer are sending traffic but its not connecting and I dont see thier traffic in our connections gui. I wonder if there is a bug that causes Interface not to show in list ??

Thanks

Re: FTD Route based VPN

MHM Cisco World — Fri, 10 May 2024 10:37:59 GMT

Sorry the connection is drop or not showing in GUI?

MHM

Re: FTD Route based VPN

N3om — Fri, 10 May 2024 11:04:53 GMT

Not showing

Re: FTD Route based VPN

Rob Ingram — Fri, 10 May 2024 12:01:33 GMT

@N3om the documentation is poor and does not explictly state you can or cannot specify a VTI as the input interface, but it does state that some packet-tracer functionality is not supported with route based VPN.

"It is possible to inject a decrypted packet in a VPN tunnel, which is generic and applicable for both IPSec and TLS. It is also possible to simulate a packet that comes across a VPN tunnel. The simulated ‘decrypted’ packet would be matched against an existing VPN tunnel and the associated tunnel policies would be applied. However, this functionality is not applicable for a route-based VPN tunnel."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/pa-pn-commands.html#wp1614728796

I double checked a VTI I have access to and I cannot specify it as the source interface in packet-tracer either, so I would say you cannot.