02-28-2013 04:46 AM
Hello
I am wondering if it is possible to have an IPSEC tunnel configuration, in which one side of the tunnel is configured with static VTI and the second with traditional crypto-map.
If yes how the configuration, on the site with crypto-map should be configured.
Thank you in advance for an answer.
Regards
Lukas
Solved! Go to Solution.
03-06-2013 12:35 AM
Lukasz,
This config is impractical for a few reasons.
VTI dictates that a "any any" proxy ID set is negotiated. While this works well on virtual interface, where routing can push traffic towards a specific interface, it will cause ALL traffic to be encrypted on crypto maps side and expect all traffic to be encrypted when it's recived (since crypto map is part of OCE along the output path).
A more practical approach in Cisco world is multi SA DVTI, where a DVTI can terminate almost any kind of initiated tunnel (i.e. we allows DVTI to handle multiple SAs under one virtual interface) it works very well in some cases.
You can have DVTI on your end and allow customers to use almost anything (ranging from SVTI to crypto maps).
I'll shoot you also an email in parallel, just a bit stuck on something at the moment.
M.
03-06-2013 12:35 AM
Lukasz,
This config is impractical for a few reasons.
VTI dictates that a "any any" proxy ID set is negotiated. While this works well on virtual interface, where routing can push traffic towards a specific interface, it will cause ALL traffic to be encrypted on crypto maps side and expect all traffic to be encrypted when it's recived (since crypto map is part of OCE along the output path).
A more practical approach in Cisco world is multi SA DVTI, where a DVTI can terminate almost any kind of initiated tunnel (i.e. we allows DVTI to handle multiple SAs under one virtual interface) it works very well in some cases.
You can have DVTI on your end and allow customers to use almost anything (ranging from SVTI to crypto maps).
I'll shoot you also an email in parallel, just a bit stuck on something at the moment.
M.
03-06-2013 12:42 AM
Thanks a lot.
Lukas
05-27-2020 02:30 AM
Hello,
How do you define the proxy ids in a DVTI against a crypto map?
I have the same scenario that I have to build a L2L connection between ASA 9.6 (no VTI supported, just crypto map) and ISR1100 (DVTI, VTI and crypto map supported). No matter what I do, I can only get it working with crypto maps in both sides.
very old thread that I reuse I guess...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide