Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4059
Views
10
Helpful
6
Replies

can i use a vti at one end and crypto map at the other?

Mike Schooley
Level 1
Level 1

‎06-28-2011 07:43 AM

both gre thru ipsec correct?

Labels:
0 Helpful
6 Replies 6

Alain Jourez
Cisco Employee
Cisco Employee

‎07-09-2011 02:13 AM

Hello Mike,

Just for clarity reason, let me redefine things a bit. VTI stands for virtual tunnel interface. This is a Tunnel with both "tunnel mode ipsec ipv4" _and_ "tunnel protection ipsec profile ".

Given this, then this is incompatible with crypto-maps this far, as a VTI will always negotiate "permit ip any any", which is incompatible with crypto-maps on the other end, which require a more specific access-list for intersting traffic.

Now considering just tunnel protection, with a tunnel mode set to GRE (default), there you can terminate the VPN on another box that is using crypto maps. Indeed the ipsec negotiation will request in this situation a "permit gre host host " which can be reflected in the access-list used by the crypto map.

I hope this answers your question.

Thanks

Alain

0 Helpful

Mike Schooley
Level 1
Level 1
In response to Alain Jourez

‎07-09-2011 11:56 AM

ok so if I dont use the tunnel mode ipsec portion, it automatically creates an encryption domain of the tunnel endpoints?  Also now if i do use tunnel mode ipsec, it is an ipsec tunnell without gre, but still supports multicast so can run eigrp, ospf, etc over it correct.

0 Helpful

Alain Jourez
Cisco Employee
Cisco Employee
In response to Mike Schooley

‎07-11-2011 12:29 AM

Hi Mike,

When you add tunnel "protection ipsec profile", this will indeed create the entry in the security policy database to encrypt the tunnel itself. The generated crypto map will actually match either GRE between the endpoints (when in the default tunnel mode gre ip) or ip any any in the case of pure vti (tunnel mode ipsec ipv4).

And yes, in both cases you will be able to pass routing protocol over them.

HTH.

Alain

0 Helpful

kviliussimas
Level 1
Level 1

‎08-02-2011 06:08 AM

In general tunnel interface can be configured to work with cryptomap configuration on other end of the tunnel. To do it, you need to manually configure proxy id on the VTI tunnel side which mirrors proxy id configured on the cryptomap. For example Juniper SSG devices have this feature. Unfortunately on Cisco IOS there are no way to manually set proxy id and it always usesip any any, so this configuration isn't possible between two Cisco IOS routers.

0 Helpful

ggmeza1983
Level 1
Level 1

‎03-04-2022 12:17 PM

Hi to All, i have an scenario where i'm running dmvpn with vti. I need to connect to other site which uses mikrotik. As I read, mikrotik doesn´t support vti. So can i configure site to site between the router cisco and mikrotik with crypto map on my side? I don´t wanto to affect the dmvpn operation. any suggestions?

Rob Ingram
VIP
VIP
In response to ggmeza1983

‎03-04-2022 12:25 PM

@ggmeza1983 I'm pretty sure running a crypto map and a vti on the same interface is not supported.

If you have further questions please create a new post rather than respond to an 11 year old post.

Customers Also Viewed These Support Documents