cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3572
Views
0
Helpful
3
Replies

VTI and crypto map

lukaszkhalil
Level 1
Level 1

Hello

I am wondering if it is possible to have an IPSEC tunnel configuration, in which one side of the tunnel is configured with static VTI and the second with traditional crypto-map.

If yes how the configuration, on the site with crypto-map should be configured.

Thank you in advance for an answer.

Regards

Lukas

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Lukasz,

This config is impractical for a few reasons.

VTI dictates that a "any any" proxy ID set is negotiated. While this works well on virtual interface, where routing can push traffic towards a specific interface, it will cause ALL traffic to be encrypted on crypto maps side and expect all traffic to be encrypted when it's recived (since crypto map is part of OCE along the output path).

A more practical approach in Cisco world is multi SA DVTI, where a DVTI can terminate almost any kind of initiated tunnel (i.e. we allows DVTI to handle multiple SAs under one virtual interface) it works very well in some cases.

You can have DVTI on your end and allow customers to use almost anything (ranging from SVTI to crypto maps).
I'll shoot you also an email in parallel, just a bit stuck on something at the moment.

M.

View solution in original post

3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Lukasz,

This config is impractical for a few reasons.

VTI dictates that a "any any" proxy ID set is negotiated. While this works well on virtual interface, where routing can push traffic towards a specific interface, it will cause ALL traffic to be encrypted on crypto maps side and expect all traffic to be encrypted when it's recived (since crypto map is part of OCE along the output path).

A more practical approach in Cisco world is multi SA DVTI, where a DVTI can terminate almost any kind of initiated tunnel (i.e. we allows DVTI to handle multiple SAs under one virtual interface) it works very well in some cases.

You can have DVTI on your end and allow customers to use almost anything (ranging from SVTI to crypto maps).
I'll shoot you also an email in parallel, just a bit stuck on something at the moment.

M.

Thanks a lot.

Lukas

Hello,

 

How do you define the proxy ids in a DVTI against a crypto map?

 

I have the same scenario that I have to build a L2L connection between ASA 9.6 (no VTI supported, just crypto map) and ISR1100 (DVTI, VTI and crypto map supported). No matter what I do, I can only get it working with crypto maps in both sides.

very old thread that I reuse I guess...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: