Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
943
Views
0
Helpful
5
Replies

Using a static VTI on a SR520 to RV110w IPsec VPN

craigzuehlke
Level 1
Level 1

‎10-08-2012 07:02 AM - edited ‎02-21-2020 06:23 PM

I am trying to set up a static VTI IPsec VPN between a SR520 and a RV110w. This works fine between the 520 and an 861, but the RV110 complains about the "permit ip any any" default policy of the VTI. (Same thing happens with the 861 and rv110) Does anyone know how to put a policy in place that would be used in negotiating the tunnel that the 110 would accept?

Attached the lines out of the 110's log and the VTI setup.

Thanks in advance!

Labels:
136410-520 output.txt.zip
136411-110 output.txt.zip
0 Helpful
5 Replies 5

Javier Portuguez
Level 9
Level 9

‎10-08-2012 11:46 AM

Craig,

I have checking around and I think the RV110w does not support VTI.

I would suggest using a crypto map on the SR520, in case you need to send Multicast traffic across a VPN tunnel you may consider replacing the RV110 with a more sophisticated device.

Thanks.

Portu.

Please rate any helpful posts

0 Helpful

craigzuehlke
Level 1
Level 1
In response to Javier Portuguez

‎10-08-2012 12:46 PM

Thanks Portu. If it's that the 110 doesn't have VTIs, that's true. If it's that there's no way to get past the VTI's default policy, that's what I need to know.

Craig

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to craigzuehlke

‎10-08-2012 12:51 PM

Craig,

Thanks for your response.

Let me ask a couple of question.

Why do you need a VTI tunnel (for Multicast maybe) ?

Have considered using a crypto map instead?

Thanks.

Portu.

0 Helpful

craigzuehlke
Level 1
Level 1
In response to Javier Portuguez

‎10-09-2012 06:15 PM

Sorry to reply late. Yes, mutlicast is one thing needed. The crypto maps are the "regular" way of setting up VPNs, but the tunnels offer a native way of doing it. Just requires an open (but encrypted) tunnel, which the 110s don't support. By having a tunnel interface, you can more easily manage thing like routing, security, qos, etc., not to mention it's easy to shut down an interface. I didn't find that you can assign the maps to loopback interfaces, which gives some of the features, but still not native like a VTI. If you know how to apply a policy to a VTI, thanks much! Otherwise, I'll just use the maps applied to wan interface.

Thanx,

Craig

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to craigzuehlke

‎10-10-2012 05:25 AM

Hi Craig,

Thanks for your clarification.

Since the 110 does not support VTI then we will have to work with a "crypto map".

If you need VTI, then you may want to consider a more powerful device like an 800 Router series for instance.

Thanks.

Portu.

Please rate any helpfuls posts

0 Helpful
Customers Also Viewed These Support Documents