Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
863
Views
0
Helpful
4
Replies

VPN Tunnel IKEV2

Go to solution
SathishkumarSaravanan0348
Level 1
Level 1

‎07-08-2019 01:47 AM

Hi All,

 

Whether we can use the crytomap in IKEV2? I heard the cryptomap is an older one and it is the version of IKEV1. But in one of the IKEV2 config they called the cryptomap instead of tunnel interface? Kindly correct me and explain the theory.

 

Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎07-08-2019 02:01 AM

Hi,
You can still implement IKEv2 crypto maps. Crypto Map and VTI (tunnel interfaces) are completely different way to configure a VPN. A crypto map configuration uses an ACL to define interesting traffic, this configuration is static and would require modification when adding additional networks.

When using a VTI this does not use an ACL to define interesting traffic, this just requires a route (either a static route or a route learnt dynamically via a routing protocol). VTI's VPN are simplier to management and much more scalable, requiring less IPSec SAs than a crypto map, therefore less resources.

Crypto Maps are considered legacy by Cisco and the recommendation is to use VTI.

Examples of Tunnel Interface VPNs are FlexVPN/DMVPN

HTH

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to SathishkumarSaravanan0348

‎07-08-2019 02:23 AM

Yes that would work, or advertise the networks using a routing protocol and then you would not need to manually configure the routes. Remember the 23.0.0.0 networks needs a route back over the VPN to the source network.

HTH

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎07-08-2019 02:01 AM

Hi,
You can still implement IKEv2 crypto maps. Crypto Map and VTI (tunnel interfaces) are completely different way to configure a VPN. A crypto map configuration uses an ACL to define interesting traffic, this configuration is static and would require modification when adding additional networks.

When using a VTI this does not use an ACL to define interesting traffic, this just requires a route (either a static route or a route learnt dynamically via a routing protocol). VTI's VPN are simplier to management and much more scalable, requiring less IPSec SAs than a crypto map, therefore less resources.

Crypto Maps are considered legacy by Cisco and the recommendation is to use VTI.

Examples of Tunnel Interface VPNs are FlexVPN/DMVPN

HTH
0 Helpful

Go to solution
SathishkumarSaravanan0348
Level 1
Level 1
In response to Rob Ingram

‎07-08-2019 02:09 AM

Thanks for the response. Kindly correct me if I am wrong for the below:

For VTI:
Consider if I need to access the destination 23.0.0.7 through tunnel0, then whether the configuration below is correct?
ip route 23.0.0.7 255.0.0.0 tunnel0.
In future if i have to access another new destination, then simply I can point the static route to tunnel. Please correct me if I am wrong.

Thanks.
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to SathishkumarSaravanan0348

‎07-08-2019 02:23 AM

Yes that would work, or advertise the networks using a routing protocol and then you would not need to manually configure the routes. Remember the 23.0.0.0 networks needs a route back over the VPN to the source network.

HTH
0 Helpful

Go to solution
SathishkumarSaravanan0348
Level 1
Level 1
In response to Rob Ingram

‎07-08-2019 02:35 AM

Thanks for the reply
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents