03-02-2017 04:17 AM
Does any know if it possible to use one of the new VTI interfaces available in 9.7(1) to create a IPSEC VPN to another ASA running older code and only able to use crypto maps? Has anyone tried to do it and succeeded?
Mark
Solved! Go to Solution.
03-03-2017 11:46 AM
Mark
I do not believe that it is possible to set up a site to site VPN where one side uses VTI and the other side uses crypto map. A major difference between the approaches is that the crypto map uses an access list to identify the subnets to be protected by encryption. But VTI assumes that anything going through the tunnel needs to be encrypted (effectively 0.0.0.0/0). So there is no command on the VTI ASA to specify the subnets as proxy id.
HTH
Rick
03-02-2017 08:18 AM
I've done some testing, when I create a VTI on one ASA and a crypto map on another ASA, phase 1 comes up but this error shows on the crypto map ASA:
3 Mar 02 2017 16:19:47 Group = X.X.X.X, IP = X.X.X.X, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
So it looks like the VTI is using 0.0.0.0/0 as the default proxy id and the crypto map ASA will be using the specific subnets. I can't see any commands on the VTI ASA that would allow me to specify the subnets as proxy ids so they would match on both ends. any ideas anyone?
Mark
03-03-2017 11:46 AM
Mark
I do not believe that it is possible to set up a site to site VPN where one side uses VTI and the other side uses crypto map. A major difference between the approaches is that the crypto map uses an access list to identify the subnets to be protected by encryption. But VTI assumes that anything going through the tunnel needs to be encrypted (effectively 0.0.0.0/0). So there is no command on the VTI ASA to specify the subnets as proxy id.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide