Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco IOS ZFW (Zone Based Firewall) and IPsec VTI

Hi to all,

with IPSEC VTI how I can configure the phase 2 proxy-id ?

"The best part of the whole thing is NO CRYPTO MAPS"

HOW traffic is associated with a remote site ? using "ip route" static routes rather than mirrored ACLs ?

Need the configure the routing / the policy map ?

Following the configuration (Need to configure a VPN between host host


crypto isakmp policy 1

encr aes 256

authentication pre-share

hash sha

group 2

lifetime 3600


crypto isakmp key 0 cisco address no-xauth

crypto isakmp keepalive 10


crypto ipsec security-association lifetime seconds 28800


crypto ipsec transform-set ACI esp-aes 256 esp-sha-hmac


crypto ipsec profile VTI

description ** VPN IPSEC L2L to ACI **

set transform-set ACI

set pfs group2

set security-association lifetime seconds 28800






interface Tunnel2

description *** test VPN IPSEC with ACI

ip address

ip ospf mtu-ignore

zone-member security untrust

ip policy route-map ROUTING-POLICY-

tunnel source

tunnel mode ipsec ipv4

tunnel destination

tunnel protection ipsec profile VTI



route-map ROUTING-POLICY- permit 10

match ip address 147


access-list 147 remark *** ACL VPN

access-list 147 permit ip host host


ip route Tunnel2

Cisco Employee

Re: Cisco IOS ZFW (Zone Based Firewall) and IPsec VTI

Static VTIs, which is what you are using on this router only supports an "ip any any" proxy id. You will not need to configure one here. Traffic is sent over the tunnel using routing protocols or static routes. The following route should be good enough

ip route Tunnel2

If you are having problems configuring the tunnel than I would check the policy on the remote end. If they are not using SVTI or a ip any any proxy ID then this will not work.