Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Local IPSec VTI compatability with remote Crypto IPSec


I am currently trying to configure a local hub VPN router (Cisco 2821) with IPSec VTI's which in turn will connect to remote
partner offices. The remote sites have traditional VPN's configurations configured using standard crypto maps. Phase 1 IKE completes succesfully
but phase 2 terminates with the error:

"no crypto map for remote peer <remote peer IP>"

With a traditional VPN connection from the hub VPN router the IPSec tunnel comes up without a problem but as soon as we convert
to IPSec VTI's the IPSec tunnel can no longer be set up. Initial diagnostics seem to point to the fact that because the IPSec policy of the hub VPN router
VTI's no longer uses crypto ACL's that the remote peer no longer accepts the transform-proposal from the hub due to this.

Are VTI's compatible with traditional crypto VPN's and if so does anybody have any reference documentation on them. I have read much of the Cisco docs on VTI's etc but still do not have a clear idea on this compatability of these technologies.

Many thanks in advance



Re: Local IPSec VTI compatability with remote Crypto IPSec

AFAIK - VTI are actually "Tunnels" and require tunnel source/destinations otherwise the tunnel is incomplete.

The whole VTI thinking is to effectvly create a GRE tunnel with IPSEC encryption across the WAN.

You need Tunnel interfaces @ BOTH ends for it to work, not just one end.



CreatePlease to create content