04-24-2023 12:22 PM
Hello,
I have a scenario that I'm not sure how unique of a requirement this may be compared to how others implement IPsec tunnels for route-based VPNs on the FTD managed by FMC. We have network environments at a branch office that requires separation of traffic to our data center and it was suggested that we use IPsec tunnels for each network environment across the WAN. The branch office will be using Catalyst 8500s where 2 VTIs will be used (one for each environment for traffic separation) and the far end will terminate the WAN circuit on an HA pair of FTD 2140s managed by FMC. Unfortunately, the FMC is throwing errors about using the same tunnel source & destination when attempting to deploy VTIs from 2 different route-based VPN topologies. I understand that the FMC is seeing this as a duplicate topology but I'm using a different VTI pointing to the same tunnel source and destination addresses. VTI tunnel 0 is up and I can ping across the tunnel to the associated tunnel interface but tunnel 2 is what is in question. My question is this: Is it possible to accomplish this because I'm not sure what needs to be done although the FMC provides a workaround (see screenshots below)?
Solved! Go to Solution.
04-24-2023 12:49 PM
@TerenceLockette actually in 7.3 you can configure loopback interfaces for VTI and configure as the tunnel source - https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface
04-24-2023 12:28 PM
@TerenceLockette unfortunately in order to establish the second tunnel you need to distinguish between the 2 tunnels, either a different source or destination IP address.
04-24-2023 12:43 PM
Hey @Rob Ingram thanks for a quick response and I was hoping this would be able to be accomplished but had a feeling this would be the response. So how do I go about using a different source IP address on the FMC? I thought I would be able to create a form of loopback but it doesn't seem like that's an option as I only have sub-interface, redundant, bridge group, and VTI. I could use the outside interface, I suppose but I think our requirement is to send this across the private WAN. Do you see a scenario in which this is possible?
04-24-2023 12:49 PM
@TerenceLockette actually in 7.3 you can configure loopback interfaces for VTI and configure as the tunnel source - https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface
04-24-2023 01:02 PM
Ok cool. I'll work this up in a lab and test it out. Thanks again @Rob Ingram!
04-24-2023 01:24 PM
if I am right the other side use LO as source of VTI ?
in FTD Side you can config Hub and Spoke the FTD dont care if the both VTI from same platform, it will assume it different spoke.
04-24-2023 01:33 PM
This is for a route-based VPN, so when that option is selected, the options for point-to-point and hub-and-spoke are greyed out.
04-24-2023 01:54 PM
Yes you are correct, the FPR not support until now the DVTI only SVTI is support.
so return to first suggestion using differ LO as source of VTI
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide