Solved: FTD/FMC VTI Tunnel

Sastic76 · ‎05-12-2022

Hi,

If we are using an FTD device and building out a IPSEC VTI tunnel to connect to a distant end which is using IPSEC GRE and then route BGP over that, will the FTD be able to establish connection? I know it won't natively do GRE but will the two sides be able to get through phase1/2 and build a tunnel that way?

MHM Cisco World · ‎05-12-2022

NO because there is GRE header add to packet and since both side not use same tunnel, then when other Peer receive this packet with GRE header it will drop it.

View solution in original post

balaji.bandi · ‎05-12-2022

I do not believe that supports :

check the Limitation :

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/216276-configure-route-based-site-to-site-vpn-t.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎05-12-2022

NO because there is GRE header add to packet and since both side not use same tunnel, then when other Peer receive this packet with GRE header it will drop it.

Sastic76 · ‎05-12-2022

So that would be the reason why we are seeing ERROR: Auth exchange failed is because its effectively getting malformed by the GRE header drop?

MHM Cisco World · ‎05-12-2022

Yes probably