Solved: Re: Multiple VTIs using same tunnel source & destination on FMC

TerenceLockette · ‎04-24-2023

Hello,

I have a scenario that I'm not sure how unique of a requirement this may be compared to how others implement IPsec tunnels for route-based VPNs on the FTD managed by FMC. We have network environments at a branch office that requires separation of traffic to our data center and it was suggested that we use IPsec tunnels for each network environment across the WAN. The branch office will be using Catalyst 8500s where 2 VTIs will be used (one for each environment for traffic separation) and the far end will terminate the WAN circuit on an HA pair of FTD 2140s managed by FMC. Unfortunately, the FMC is throwing errors about using the same tunnel source & destination when attempting to deploy VTIs from 2 different route-based VPN topologies. I understand that the FMC is seeing this as a duplicate topology but I'm using a different VTI pointing to the same tunnel source and destination addresses. VTI tunnel 0 is up and I can ping across the tunnel to the associated tunnel interface but tunnel 2 is what is in question. My question is this: Is it possible to accomplish this because I'm not sure what needs to be done although the FMC provides a workaround (see screenshots below)?

Rob Ingram · ‎04-24-2023

@TerenceLockette actually in 7.3 you can configure loopback interfaces for VTI and configure as the tunnel source - https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface

View solution in original post

Rob Ingram · ‎04-24-2023

@TerenceLockette unfortunately in order to establish the second tunnel you need to distinguish between the 2 tunnels, either a different source or destination IP address.

TerenceLockette · ‎04-24-2023

Hey @Rob Ingram thanks for a quick response and I was hoping this would be able to be accomplished but had a feeling this would be the response. So how do I go about using a different source IP address on the FMC? I thought I would be able to create a form of loopback but it doesn't seem like that's an option as I only have sub-interface, redundant, bridge group, and VTI. I could use the outside interface, I suppose but I think our requirement is to send this across the private WAN. Do you see a scenario in which this is possible?

Rob Ingram · ‎04-24-2023

@TerenceLockette actually in 7.3 you can configure loopback interfaces for VTI and configure as the tunnel source - https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface

TerenceLockette · ‎04-24-2023

Ok cool. I'll work this up in a lab and test it out. Thanks again @Rob Ingram!

MHM Cisco World · ‎04-24-2023

if I am right the other side use LO as source of VTI ?
in FTD Side you can config Hub and Spoke the FTD dont care if the both VTI from same platform, it will assume it different spoke.

TerenceLockette · ‎04-24-2023

This is for a route-based VPN, so when that option is selected, the options for point-to-point and hub-and-spoke are greyed out.

MHM Cisco World · ‎04-24-2023

Yes you are correct, the FPR not support until now the DVTI only SVTI is support.
so return to first suggestion using differ LO as source of VTI