Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
10
Helpful
2
Replies

Dynamic VTI. Can I use static routes over the tunnel?

kasper123
Level 4
Level 4

‎12-13-2021 05:51 AM

I'm testing dynamic VTI with a Hub and two Spokes.

I can get the tunnel established but I cannot ping the endpoints of the tunnel from the other side.

I see in the counters that the traffic leaves the spoke and reaches the hub but no response is sent back to the spoke.

Next thing I noticed is that if I setup a routing protocol (like EIGRP) on each of the hub and spoke than neighborsip gets established and I can ping addresses from the other side.

But is it possible to use static routing to point to networks on the other side? I tried to add a static route but on the hub I cannot specify a next hop for this traffic.

Or is this perhaps by design and running of a dynamic routing protocol is the only way to exchange traffic over dynamic VTI?

Labels:
2 Replies 2

Rob Ingram
VIP
VIP

‎12-13-2021 06:04 AM

@kasper123 use FlexVPN authorisation policy and the "route set interface" command to push the tunnel IP address as a static. You can also push down other static routes, refer to this link for more information. https://integratingit.wordpress.com/2018/06/07/flexvpn-ikev2-routing/

 

MHM Cisco World
VIP
VIP

‎12-13-2021 11:41 AM

follow

0 Helpful
Customers Also Viewed These Support Documents