Solved: RA VPN on a user-defined virtual router in FTD

Chess Norris · ‎07-19-2022

Hello,

Does anyone know if it's possible to run RA VPN on a user-defined virtual router in FTD or if that's only suported in the global virtual router?

/Chess

Rob Ingram · ‎07-19-2022

@Chess Norris You could try to force a route based VTI to communicate with a policy based VPN, but you'd need to reconfigure the remote end to use 0.0.0.0/0.0.0.0 in the crypto ACL to define the interesting traffic. It's better and simplier to use a VTI on both ends.

View solution in original post

Rob Ingram · ‎07-19-2022

@Chess Norris as of the latest FTD version 7.2, there is no information about supporting terminating a RAVPN on a user-defined virtual router, but you can now terminate a VTI on a user defined virtual router.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72/features.html

Chess Norris · ‎07-19-2022

Thanks. Can you run RA VPN on a VTI or is that just for L2L tunnels?

/Chess

Rob Ingram · ‎07-19-2022

@Chess Norris no you can't, thats for L2L VPN only.

Sorry, I just mentioned it for reference.

Chess Norris · ‎07-19-2022

I can run the RA VPN on the global virtual router and the L2L VPN on a VTI so it shouldn't be any problem, but I have one more question about this. At the moment the L2L VPN is policy-based and I guess I need to migrate to route-based if I want to use a VTI? Can I do this migration without affecting the other side of the tunnel or do they need to make changes on their side as well?

Thanks

/Chess

Rob Ingram · ‎07-19-2022

@Chess Norris You could try to force a route based VTI to communicate with a policy based VPN, but you'd need to reconfigure the remote end to use 0.0.0.0/0.0.0.0 in the crypto ACL to define the interesting traffic. It's better and simplier to use a VTI on both ends.

Chess Norris · ‎07-19-2022

Thanks for you help. Much appreciated.

/Chess