Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VTI and crypto map

Hello

I am wondering if it is possible to have an IPSEC tunnel configuration, in which one side of the tunnel is configured with static VTI and the second with traditional crypto-map.

If yes how the configuration, on the site with crypto-map should be configured.

Thank you in advance for an answer.

Regards

Lukas

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

VTI and crypto map

Lukasz,

This config is impractical for a few reasons.

VTI dictates that a "any any" proxy ID set is negotiated. While this works well on virtual interface, where routing can push traffic towards a specific interface, it will cause ALL traffic to be encrypted on crypto maps side and expect all traffic to be encrypted when it's recived (since crypto map is part of OCE along the output path).

A more practical approach in Cisco world is multi SA DVTI, where a DVTI can terminate almost any kind of initiated tunnel (i.e. we allows DVTI to handle multiple SAs under one virtual interface) it works very well in some cases.

You can have DVTI on your end and allow customers to use almost anything (ranging from SVTI to crypto maps).
I'll shoot you also an email in parallel, just a bit stuck on something at the moment.

M.

2 REPLIES
Cisco Employee

VTI and crypto map

Lukasz,

This config is impractical for a few reasons.

VTI dictates that a "any any" proxy ID set is negotiated. While this works well on virtual interface, where routing can push traffic towards a specific interface, it will cause ALL traffic to be encrypted on crypto maps side and expect all traffic to be encrypted when it's recived (since crypto map is part of OCE along the output path).

A more practical approach in Cisco world is multi SA DVTI, where a DVTI can terminate almost any kind of initiated tunnel (i.e. we allows DVTI to handle multiple SAs under one virtual interface) it works very well in some cases.

You can have DVTI on your end and allow customers to use almost anything (ranging from SVTI to crypto maps).
I'll shoot you also an email in parallel, just a bit stuck on something at the moment.

M.

New Member

VTI and crypto map

Thanks a lot.

Lukas

455
Views
0
Helpful
2
Replies