What is the problem and how do you make the VPN use the VTI tunnels?

You have three Gateways in a mesh community. Each gateway’s VPN Domain is their
internal network as defined on the Topology tab setting All IP Addresses behind Gateway
based on Topology information. You want to test the route-based VPN, so you created VTIs
among the Gateways and created static route entries for the VTIs. However, when you test
the VPN, you find out the VPN still go through the regular domain IPsec tunnels instead of
the routed VTI tunnels. What is the problem and how do you make the VPN use the VTI
tunnels?

You have three Gateways in a mesh community. Each gateway’s VPN Domain is their
internal network as defined on the Topology tab setting All IP Addresses behind Gateway
based on Topology information. You want to test the route-based VPN, so you created VTIs
among the Gateways and created static route entries for the VTIs. However, when you test
the VPN, you find out the VPN still go through the regular domain IPsec tunnels instead of
the routed VTI tunnels. What is the problem and how do you make the VPN use the VTI
tunnels?

A.
Route-based VTI takes precedence over the Domain VPN. To make the VPN go through
VTI, use dynamic-routing protocol like OSPF or BGP to route the VTI address to the peer
instead of static routes

B.
Domain VPN takes precedence over the route-based VTI. To make the VPN go through
VTI, use an empty group object as each Gateway’s VPN Domain

C.
Domain VPN takes precedence over the route-based VTI. To make the VPN go through
VTI, remove the Gateways out of the mesh community and replace with a star community

D.
Route-based VTI takes precedence over the Domain VPN. Troubleshoot the static route

entries to insure that they are correctly pointing to the VTI gateway IP.



Leave a Reply 0

Your email address will not be published. Required fields are marked *