Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
10
Helpful
2
Replies

Site-to-Site VPN Question

manofsteel03
Level 1
Level 1

‎09-29-2022 10:59 PM

When you setup a  Site-to-Site VPN tunnel between an ASA and FTD, do both ends have to be setup using the same type of configuration as in Policy-Base or Route Base? Or can one end be configured with Policy Base and the other end setup as Route Base (VTI)?

Thx in advance for any help given.

Labels:
2 Replies 2

Aref Alsouqi
VIP
VIP

‎09-30-2022 01:29 AM

Good question, I never tried to play with this on my lab, however, I think both should match the type, because as part of the negotiation between the firewalls to establish the tunnel would be related to the proxy domains which are the subnets defined in the crypto ACLs.

Rob Ingram
VIP
VIP

‎09-30-2022 01:53 AM

@manofsteel03 I think this is possible, never tried it, you could set the Policy Based crypto ACL to match 0.0.0.0/0. Though why? I don't think this would be a good design, use a Route Based or Policy Based VPN, not a mixture of both.

FYI, On IOS-XE routers (not ASA/FTD), there is this newish option of using Multi-SA VTI - https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214728-configure-multi-sa-virtual-tunnel-interf.html

 

0 Helpful
Customers Also Viewed These Support Documents