Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
0
Helpful
1
Replies

Local IPSec VTI compatability with remote Crypto IPSec

F1owtraders
Level 1
Level 1

‎04-12-2010 12:45 AM - edited ‎02-21-2020 04:35 PM

Hi,

I am currently trying to configure a local hub VPN router (Cisco 2821) with IPSec VTI's which in turn will connect to remote
partner offices. The remote sites have traditional VPN's configurations configured using standard crypto maps. Phase 1 IKE completes succesfully
but phase 2 terminates with the error:

"no crypto map for remote peer <remote peer IP>"

With a traditional VPN connection from the hub VPN router the IPSec tunnel comes up without a problem but as soon as we convert
to IPSec VTI's the IPSec tunnel can no longer be set up. Initial diagnostics seem to point to the fact that because the IPSec policy of the hub VPN router
VTI's no longer uses crypto ACL's that the remote peer no longer accepts the transform-proposal from the hub due to this.

Are VTI's compatible with traditional crypto VPN's and if so does anybody have any reference documentation on them. I have read much of the Cisco docs on VTI's etc but still do not have a clear idea on this compatability of these technologies.

Many thanks in advance

Quinton

Labels:
0 Helpful
1 Reply 1

andrew.prince
Level 10
Level 10

‎04-12-2010 12:56 AM

AFAIK - VTI are actually "Tunnels" and require tunnel source/destinations otherwise the tunnel is incomplete.

The whole VTI thinking is to effectvly create a GRE tunnel with IPSEC encryption across the WAN.

You need Tunnel interfaces @ BOTH ends for it to work, not just one end.

HTH>

Andrew.

0 Helpful
Customers Also Viewed These Support Documents