Firepower Dynamic VTI and Hub-Spoke VPN
1. Create loopback interface 2. Create dynamic VTI After click OK: 3 Create a S2S VPN, add Hub after click Save 4. Add VPN spoke After click OK: 5. Add bidirectional ACP 6. Add static route or Dynamic route ASAv spoke needs 9.20 to support interface route injection. Because FTD dVTI borrows IP from loopback interface, without this peer VTI host route, FTD will route peer VTI IP to loopback, never be able to reach it via VPN tunnel. This is important when run OSPF or BGP to reach next hop. tunnel-group x.x.x.x ipsec-attributes ikev2 route set interface When configure OSPF, DVI uses borrowed IP from Loopback interface. Directly configured DVI IP seems not working. After spoke is configured, the first VPN is up: CLI: FTD72# sh crypto isakmp sa There are no IKEv1 SAs IKEv2 SAs: Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote fvrf/ivrf St