Net Worker World

  1. Create loopback interface  2. Create dynamic VTI After click OK: 3 Create a S2S  VPN, add Hub after click Save 4. Add VPN spoke After click OK: 5. Add bidirectional ACP  6. Add static route or Dynamic route      ASAv spoke needs 9.20 to support interface route injection. Because FTD dVTI borrows IP from loopback interface, without this peer VTI host route, FTD will route peer VTI IP to loopback, never be able to reach it via VPN tunnel. This is important when run OSPF or BGP to reach next hop.         tunnel-group x.x.x.x ipsec-attributes             ikev2 route set interface     When configure OSPF, DVI uses borrowed IP from Loopback interface. Directly configured DVI IP seems not working. After spoke is configured, the first VPN is up: CLI: FTD72# sh crypto isakmp sa There are no IKEv1 SAs IKEv2 SAs: Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local                                               Remote                                     fvrf/ivrf     St