VTI and crypto map

Answered Question
Feb 28th, 2013

Hello

I am wondering if it is possible to have an IPSEC tunnel configuration, in which one side of the tunnel is configured with static VTI and the second with traditional crypto-map.

If yes how the configuration, on the site with crypto-map should be configured.

Thank you in advance for an answer.

Regards

Lukas

I have this problem too.
0 votes
Correct Answer by Marcin Latosiewicz about 1 year 1 month ago

Lukasz,

This config is impractical for a few reasons.

VTI dictates that a "any any" proxy ID set is negotiated. While this works well on virtual interface, where routing can push traffic towards a specific interface, it will cause ALL traffic to be encrypted on crypto maps side and expect all traffic to be encrypted when it's recived (since crypto map is part of OCE along the output path).

A more practical approach in Cisco world is multi SA DVTI, where a DVTI can terminate almost any kind of initiated tunnel (i.e. we allows DVTI to handle multiple SAs under one virtual interface) it works very well in some cases.

You can have DVTI on your end and allow customers to use almost anything (ranging from SVTI to crypto maps).
I'll shoot you also an email in parallel, just a bit stuck on something at the moment.

M.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (1 ratings)
Correct Answer
Marcin Latosiewicz Wed, 03/06/2013 - 00:35

Lukasz,

This config is impractical for a few reasons.

VTI dictates that a "any any" proxy ID set is negotiated. While this works well on virtual interface, where routing can push traffic towards a specific interface, it will cause ALL traffic to be encrypted on crypto maps side and expect all traffic to be encrypted when it's recived (since crypto map is part of OCE along the output path).

A more practical approach in Cisco world is multi SA DVTI, where a DVTI can terminate almost any kind of initiated tunnel (i.e. we allows DVTI to handle multiple SAs under one virtual interface) it works very well in some cases.

You can have DVTI on your end and allow customers to use almost anything (ranging from SVTI to crypto maps).
I'll shoot you also an email in parallel, just a bit stuck on something at the moment.

M.

Actions

Login or Register to take actions

This Discussion

Posted February 28, 2013 at 4:46 AM
Stats:
Replies:2 Avg. Rating:
Views:335 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard