cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1210
Views
0
Helpful
2
Replies

ASA 9.7(1) VTI interface to ASA crypto map VPN

cyodesigns
Level 1
Level 1

Does any know if it possible to use one of the new VTI interfaces available in 9.7(1) to create a IPSEC VPN to another ASA running older code and only able to use crypto maps? Has anyone tried to do it and succeeded?

Mark

1 Accepted Solution

Accepted Solutions

Mark

I do not believe that it is possible to set up a site to site VPN where one side uses VTI and the other side uses crypto map. A major difference between the approaches is that the crypto map uses an access list to identify the subnets to be protected by encryption. But VTI assumes that anything going through the tunnel needs to be encrypted (effectively 0.0.0.0/0). So there is no command on the VTI ASA to specify the subnets as proxy id.

HTH

Rick

HTH

Rick

View solution in original post

2 Replies 2

cyodesigns
Level 1
Level 1

I've done some testing, when I create a VTI on one ASA and a crypto map on another ASA, phase 1 comes up but this error shows on the crypto map ASA:

3 Mar 02 2017 16:19:47 Group = X.X.X.X, IP = X.X.X.X, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

So it looks like the VTI is using 0.0.0.0/0 as the default proxy id and the crypto map ASA will be using the specific subnets. I can't see any commands on the VTI ASA that would allow me to specify the subnets as proxy ids so they would match on both ends. any ideas anyone?

Mark

Mark

I do not believe that it is possible to set up a site to site VPN where one side uses VTI and the other side uses crypto map. A major difference between the approaches is that the crypto map uses an access list to identify the subnets to be protected by encryption. But VTI assumes that anything going through the tunnel needs to be encrypted (effectively 0.0.0.0/0). So there is no command on the VTI ASA to specify the subnets as proxy id.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: