03-02-2023 10:31 PM
Hi,
there is an IKEv2 IPSec tunnel using VTI between router and ASA. All works well. Now, the device which create IPSec to the same ASA (using dynamic crypto map on the ASA) is connected to the LAN behind this router. The VTI IPSec works but crypto map IPSec doesn't. In the show crypto ipsec sa peer <ip address> I can see the following for the VTI IPsec in use settings ={L2L, Tunnel, PFS Group 24, IKEv2, VTI, } and in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 24, IKEv2, VTI, } for the dynamic crypto map IPSec (notice the VTI for both of them which is not correct). When I shut down the VTI and clear the session, the crypto map IPSec starts to work because it doesn't use VTI anymore: in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 5, IKEv2, }. Then I enable VTI and it works as well. But this is only temporary solution. Is there anything fix this? I can't use the VTI tunnel for all traffic towards ASA. Two tunnels are needed.
thank you
03-03-2023 03:35 AM
you want two VTI
one for edge router
other from router behind edge router
and both VTI toward same ASA ?
03-03-2023 03:45 AM
Hi, the device in the LAN doesnt support VTI so crypto map is the only way. So edge router uses VTI and router behind it has to use crypto map. And I want it to work at the same time. (both of them creates VPN to the same ASA)
03-03-2023 03:48 AM
understood, I will check solution and share here.
03-06-2023 03:46 AM
I try yesterday and I failed but I think I found the solution
the trick is in route through VTI and traffic hit the ACL of IPSec.
03-06-2023 03:57 AM
Hi,
I am routing 10.42.0.0/16 via VTI (on the ASA) and 10.0.0.0/8 on the router
and the dynamic crypto map has this subnet:
10.0.0.0/8 (behind the ASA) <->10.32.1.1/32 (behind the router)
10.0.0.0/8 (behind the ASA) <->10.32.2.0/28 (behind the router)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide