Hello!

I am working with one of our administrators that controls the Cisco Viptela infrastructure. We are following a vendor's configuration recommendation and are seeing a discrepancy between what options we have in vMange (or even the CLI) and what the vendor has in their sample configuration.

The vendor's configuration recommends using a "SIG [Secure Internet Gateway] Template" on vManage:

Tunnel Type										IPsec
Interface Name (1..255)							Global
Description										IP
Tunnel Source IP Address						Device-Specific
IPv4 addresses									Device-Specific
Tunnel Route-via Interface						Device-Specific
Tunnel Destination IP Address/FQDN(Ipsec)		Device-Specific
Preshared key									Device-Specific
IPsec Rekey Interval (under advanced options)	Default
IPsec Replay Window								Default
IPSec Cipher Suite								Global (AES 256 CBC SHA 256)
Perfect Forward Secrecy							Global (Group-14 2048-bit modulus)

They also require anti-replay protection is disabled and recommends using a "non-default feature template" to accomplish this:

crypto ipsec profile {{ipsec_profile_name}}
no set security-association replay window-size 512
set security-association replay disable

crypto ikev2 profile {{ikev2_profile_name}}
identity local key-id {{ipsec-key-id}}

The vendor says they tested with 20.6.2/17.6.2

We do not seem to have an option to disable the anti-replay protection - only the option to modify the window-size in both vManage and the CLI.

I'm not sure which version of vManage we're running, but it's newer than 20.6.2 but I do know we're running 17.6.4.

Any thoughts on why it's not possible to configure this? Is it possible that it's a hidden command? I think we tried issuing the command from the CLI and it wasn't accepted.

Thanks in advance!