Re: VTI (IPSEC) on catalyst 9200

Aladdin0z · ‎08-03-2025

Good day to all,

In a small backbon network , we are using the C9200-24T-E .The switches will be used in L3 mode (command IP ROUTING enabled) . So to interconnectd multiple branch sites through an ISP switched Network, we plan to setup site to site IPSEC tunnels between switches; in our context the sites are realy small which does not justify the cost of investing in backbon switches like C9300.

In order to achieve this configuration we plan to use VTI IPSEC , in my openion its stright forward in terms of configuration. But what I noticed while testing the configuration is the absence of the commande Tunnel protection ipsec at the tunnel interface configuration level , all I can find is Tunnel protection psk.

Is this senario possible ?is crypto-map my second option ?

Looking forward to hearing your seggustions.

MHM Cisco World · ‎08-03-2025

Tunnel protection ipsec profile is missing from Tunnel mode config (i.e. under tunnel)?

If Yes then you need to use crypto map (i.e. policy based VPN)

MHM

M02@rt37 · ‎08-04-2025

Hello @Aladdin0z

CLI command tunnel protection missing mean HSEC license is missing.

Take care also, C9200 is "only" a switch, I think started C9300-x IPSEC is full supported.

Check on Cisco feature navigator the features associated to your platform regarding version and licence:

https://cfnng.cisco.com/browse/switching/products

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Joshqun Ismayilov · ‎08-04-2025

Hi @Aladdin0z

tunnel protection ipsec command is not available only tunnel protection psk is visible - this is indicates you not getting support for the full IPsec VTI feature on your C9200 platform/ the Cisco C9200 series switches ( E- models) do not support IPsec VTI. These platforms are LAN access switches, and while they do support L3 routing/

Thanks!