We have a big project involving the deployment of hundred of firewall in different locations: HQ and shops. Each shop was connected to the regional HQ via VPN, either EasyVPN or static L2L (the latter case, when the shop has two Internet lines).

Currently, all location use ASA devices, which are going to be migrated/replaced with FTDs, centrally managed by FMC.

The implementation already started but we found several limitations in the current implementation of the VPN, compared to what was possible with the ASA:

- on the HQ hub, concetrating the VPNs from the shops, it's not possible to impose an order among the crypto-maps;

- it's not possible to configure a backup peer IP address in hub&spoke VPNs (unless you resort to contorted configurations);

- VTI tunnels - which would be absolutely welcome - are not supported: you can configure almost every aspect using FlexConfig, but not "nameif" and "ip address" command under the Tunnel if;

- it's not possible to associate a filter ACL to a VPN.

We would like to know if these four issues are included in the roadmap for the next upgrade; in particular, the VTI vpn is of particular interest for us: we see that there're a couple "enhancement request bugs" (CSCvf75938, CSCvj24040), acting as placeholders for the fact that VTI should be supported, but without any clue about when that will happen.

Thanks in advance.