11-02-2023 05:54 AM
On an FTD can I set up one VTI and use it on 2 tunnels? I will be running a dual hub and spoke configuration and i am looking to use a /24 for the subnet and have the hubs borrow the IP from the loopback which will be set up in the same subnet. If I need a second VTI will it let me create it on the same subnet? I know that most systems have issues with overlapping subnets. Or should i just create a separate subnet for each hub with two VTI?
Solved! Go to Solution.
11-02-2023 11:08 AM
@robinhall1 that should using a dVTI on the hub FWs. On the spokes run a separate VTI to each hub, with a unique subnet per hub. Establish a routing protocol adjacency, either load balance over both hubs, use a routing protocol attribute to prefer one tunnel over the other or use a backup VTI - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/vpn-s2s.html#Cisco_Reference.dita_73dac582-5114-4643-9536-fc4e2de1f1c4
11-02-2023 06:01 AM
@robinhall1 what version are you running, 7.3? Only in 7.3 did Cisco introduce a loopback interface for VPNs. If you are using 7.3 then on the hub you could use dVTI instead of a sVTI, then all tunnels will use the same DVTI tunnel and you can use the loopback to borrow the IP address instead of wasting IP addresses.
11-02-2023 11:00 AM
I am running 7.3.1.1 on the two hubs as those are 2110. I am running 7.0.5 on all of the spokes as those are 55xx series running ftd as 7.0 is the last supported firmware for the 55xx series. I was going to use dVTI on the hubs. Where it is a dual hub set up I am not sure if I can use the same VTI on the spokes for each tunnel or if I need to have separate VTI and if separate they will likely need different subnets but not sure if that is a requirement.
11-02-2023 11:08 AM
@robinhall1 that should using a dVTI on the hub FWs. On the spokes run a separate VTI to each hub, with a unique subnet per hub. Establish a routing protocol adjacency, either load balance over both hubs, use a routing protocol attribute to prefer one tunnel over the other or use a backup VTI - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/vpn-s2s.html#Cisco_Reference.dita_73dac582-5114-4643-9536-fc4e2de1f1c4
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide