We have a big project involving the deployment of hundred of firewall in different locations: HQ and shops. Each shop was connected to the regional HQ via VPN, either EasyVPN or static L2L (the latter case, when the shop has two Internet lines).
Currently, all location use ASA devices, which are going to be migrated/replaced with FTDs, centrally managed by FMC.
The implementation already started but we found several limitations in the current implementation of the VPN, compared to what was possible with the ASA:
- on the HQ hub, concetrating the VPNs from the shops, it's not possible to impose an order among the crypto-maps;
- it's not possible to configure a backup peer IP address in hub&spoke VPNs (unless you resort to contorted configurations);
- VTI tunnels - which would be absolutely welcome - are not supported: you can configure almost every aspect using FlexConfig, but not "nameif" and "ip address" command under the Tunnel if;
- it's not possible to associate a filter ACL to a VPN.
We would like to know if these four issues are included in the roadmap for the next upgrade; in particular, the VTI vpn is of particular interest for us: we see that there're a couple "enhancement request bugs" (CSCvf75938, CSCvj24040), acting as placeholders for the fact that VTI should be supported, but without any clue about when that will happen.
Thanks in advance.
I also have no timeline. But I'm pretty sure that Cisco is very aware of the fact that many customers (including me) are eagerly waiting for these features (and many more) in FTD. I'm hoping to see some more in the next bigger releases.
I would suggest you make sure your Cisco account manager is aware of your need for these enhancements. It will carry more weight via that path than via your posting here.
anybody knows if this vti feature is coming to ftd anytime soon?
i also have a large deployment with vti and dynamic routing that the feature is holding back migration to higher model firewalls