Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
713
Views
0
Helpful
3
Replies

IPsec tunnel with VTI

Mmiselo
Level 1
Level 1

‎10-04-2016 04:04 AM - edited ‎03-05-2019 07:11 AM

Good day,

Below are the configurations I have on a Cisco 2900 series router, the tunnel connects to the Microsoft Azure VM. The type of config we have are also generated from the VM to match what they have on the tunnel.

The issue we are having is that the vti tunnel interface keeps flapping. Is this an issue or a reason why it's flapping? When we telnet through the tunnel all seems to be fine.Not sure if the flapping is an issue as the client has been getting some errors.

Is there a way we can configure a tunnel without the vti tunnel interface and still use ikev2? To have the tunnel with the same settings we have on the config below.

crypto ikev2 proposal azure-proposal1

encryption 3des

integrity sha1

group 2

!

crypto ikev2 policy azure-policy1

proposal azure-proposal1

!

crypto ikev2 keyring azure-keyring1

peer CLIENT

  address 13.74.191.239

  pre-shared-key ****************

 

crypto ikev2 profile azure-profile1

match address local interface GigabitEthernet0/0

match identity remote address 13.74.191.239 255.255.255.255

authentication local pre-share

authentication remote pre-share

keyring azure-keyring1

 cypto ipsec transform-set CLIENT1 esp-aes 256 esp-sha-hmac

 

crypto ipsec profile vti

set transform-set CLIENT1

set ikev2-profile azure-profile1

 

interface Tunnel120

ip address 169.254.0.1 255.255.255.0

ip tcp adjust-mss 1350

tunnel source GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel destination 15.75.192230

tunnel protection ipsec profile vti

 

ip route 10.145.0.0 255.255.0.0 Tunnel120 name CLIENT-LAN-Range

Regards

Nelson

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎10-04-2016 06:41 AM

Nelson

If you want to change it and not use VTI you could probably rewrite it to use GRE with IPsec and use IKEv2. But I am not sure why you would do that. VTI is the newer approach to tunneling with IPsec and simplifies some of the things that you would need to do with GRE (such as configuring crypto maps).

We do not have enough information to know what is causing the flapping. But I very much doubt that changing from VTI to GRE would solve that problem.

HTH

Rick

HTH

Rick
0 Helpful

Mmiselo
Level 1
Level 1
In response to Richard Burts

‎10-04-2016 07:09 AM

Hi Rick,

Thanks for the response!

I agree that the vti route makes everything easier and I would prefer to stick to the current setup. The only worry is the flapping of the VTI and almost I thought it's a normal behavior.

I just want to make sure it's not the flapping that is affecting traffic.

Regards

Nelson

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Mmiselo

‎10-04-2016 07:15 AM

Nelson

We do not have enough information to identify the cause of the flapping. It might be a crypto issue that causes the flapping. I have had experience where something was going on with ISAKMP and would cause the tunnel to flap. Or it might be something else. Perhaps a debug of ISAKMP might be a place to start your troubleshooting?

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card