Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using SVTI with non Cisco peers

Hello Community,

I have a particular setup in mind, but can't get it to work in a GNS3 environment to have it tested before trying it in our production setup.

We have a setup using two VPN routers (3845) with HSRP, BGP and VRF (with rri), using a classical setup with crypto maps, connecting other parties to our DC. We do not manage the peer hardware in these cases.

I'm have been looking into the possibilities to move from this setup, to a setup using SVTI with IPSEC. This change must be transparant to our peers; no config changes should be needed on their component(s).

So I've build our setup in GNS3 (apart from the BGP and VRF) to test this. I have the current IPSEC VPN with crypto maps working in GNS3, with both sides using the same (Cisco) setup in terms of ISAKPM and IPSEC with an ACL.

I've made the changes on "our" HSRP VPN setup according to "IPsec Virtual Tunnel Interface" guide from the Cisco site in GNS3 (can't seem to find the link to the online doc).

It looks like the tunnel is being build, but phase two is not completing, because of, I think, the mismatch between both peers on the ecnryption domain. the VTI side uses routing through the Tunnel interface, sending "IP any any", to the peer, whereas the peer uses a ACL expecting a specifc source and destination.

Here's a debug snippet (ignore the date/time) seen from the peer (using an ACL):

*Mar  1 02:02:45.199: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address xx.xx.xx.xx

*Mar  1 02:02:45.199: ISAKMP:(0:9:SW:1): IPSec policy invalidated proposal

*Mar  1 02:02:45.199: ISAKMP:(0:9:SW:1): phase 2 SA policy not acceptable! (local xx.xx.xx.xx remote yy.yy.yy.yy)

*Mar  1 02:02:45.199: ISAKMP:(0:9:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

In this post, https://supportforums.cisco.com/message/3052235#3052235, it is suggested that when using a setup with VTI's, both sides/peers should use the same kind of setup i.e. VTI. I can imagine this to be realistic when you manage both peers.

All Cisco docs assume both peers use (S|D)VTI.

My questions:

1. Is it possible to have a setup where PeerA (Cisco hadrware) uses SVTI with IPSEC and PeerB is unknown (can be any vendor) or uses some kind of ACL and given that all other encryption settings match

2. Does anyone has experience with such a setup ? If so can you provide me with an example configuration

3. Is there an other similair solution using a virtual interfaces or a loopback interface ?

Thank you kindly for your input.

Avinash

I hope you can help me

Everyone's tags (7)
646
Views
0
Helpful
0
Replies
CreatePlease login to create content