Local IPSec VTI compatability with remote Crypto IPSec

Hi,

I am currently trying to configure a local hub VPN router (Cisco 2821) with IPSec VTI's which in turn will connect to remote
partner offices. The remote sites have traditional VPN's configurations configured using standard crypto maps. Phase 1 IKE completes succesfully
but phase 2 terminates with the error:

"no crypto map for remote peer <remote peer IP>"

With a traditional VPN from the hub VPN router this IPSec tunel comes up without a problem but as soon as we want to convert
to IPSec VTI's the IPSec tunnel can no longer be set up. Initial diagnostics seem to point to the fact that because the IPSec policy of the hub VPN router
VTI's no longer uses crypto ACL's that the remote peer no longer accepts the transform-proposal from the hub.

Are VTI's compatible with traditional crypto VPN's and if so does anybody have any reference documentation on them. I have read much of the Cisco docs on VTI's etc
but still do not have a clear idea on this compatability of these technologies.

Many thanks in advance
FlowTraderAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BrassMonkey26Commented:
I found a website that I think can help you:

http://www.nil.com/ipcorner/IPsecVPN3/
0
OzNetNerdCommented:
I do not believe VTI and Crypto Map VPNs are compatible. VTI was created to replace Crypto Maps and has added advantages such as being able to run a routing protocol over it.

The two VPNs technologies are also set up differently (interesting traffic and a crypto map applied to an interface as opposed to a standard virtual interface).

So although both technologies use transform sets, I doubt they are compatible.

Are you able to change the configuration of the remote sites?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FlowTraderAuthor Commented:
Many thanks for the responses. I am going to try and lab the potential solution from BrassMonkey26's post and update the outcome.
0
FlowTraderAuthor Commented:
Turns out that the comment made by bbd00 is correct, VTI interfaces need to be configured on both sides of the tunnel. Many thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.