Lesson Contents
IPSec VTIs (Virtual Tunnel Interface) is a newer method to configure site-to-site IPSec VPNs. It’s a simpler method to configure VPNs, it uses a tunnel interface, and you don’t have to use any pesky access-lists and a crypto-map anymore to define what traffic to encrypt.
Configuration
Let’s look at an example. I use the following topology:
R1 and R2 are the two routers that will be used for the site-to-site IPSec VPN. I will manually configure the tunnel and endpoints, so this will be a static virtual tunnel interface. H1 and H2 are used to test the tunnel.
Let’s start with R1:
R1
Let’s start with the IPSec phase 1 configuration:
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
And configure our remote neighbor (R2):
R1(config-isakmp)#crypto isakmp key MY_PASSWORD address 192.168.12.2
Now we can configure phase 2:
R1(config)#crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(config)#crypto ipsec profile IPSEC_PROFILE
R1(ipsec-profile)#set transform-set MY_TRANSFORM_SET
This part is much simpler…you only have to create a transform-set and a crypto IPSec profile. The crypto IPSec profile refers to the transform-set. You don’t have to create a crypto-map anymore and apply it to the outside interface.
Now we combine everything on the tunnel interface:
R1(config)#interface Tunnel 0
R1(config-if)#ip address 12.12.12.1 255.255.255.0
R1(config-if)#tunnel source 192.168.12.1
R1(config-if)#tunnel destination 192.168.12.2
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile IPSEC_PROFILE
The configuration of the tunnel interface is similar to a regular GRE tunnel. We set a source and destination IP address. The tunnel mode, however, is IPSec IPv4 and we have to add our IPSec profile.
Last but not least, make sure you have a route that points to the subnet on the other side. The destination is the tunnel interface:
R1(config)#ip route 192.168.2.0 255.255.255.0 Tunnel0
That’s all we need.
R2
The configuration of R2 is exactly the same except for the IP addresses:
R2(config)#crypto isakmp policy 1
R2(config-isakmp)# encryption aes
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)#crypto isakmp key MY_PASSWORD address 192.168.12.1
R2(config)#crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
R2(cfg-crypto-trans)# mode tunnel
R2(config)#crypto ipsec profile IPSEC_PROFILE
R2(ipsec-profile)# set transform-set MY_TRANSFORM_SET
R2(config)#interface Tunnel0
R2(config-if)# ip address 12.12.12.2 255.255.255.0
R2(config-if)# tunnel source 192.168.12.2
R2(config-if)# tunnel destination 192.168.12.1
R2(config-if)# tunnel mode ipsec ipv4
R2(config-if)# tunnel protection ipsec profile IPSEC_PROFILE
R2(config)#ip route 192.168.1.0 255.255.255.0 Tunnel0
That’s all there is to it.
Verification
Let’s see if this works! We will start with a quick ping:
H1#ping 192.168.2.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/24/37 ms
This ping is promising. Remember that the static routes on R1 and R2 point to the tunnel interface so this at least tells me it’s probably working. Let’s take a closer look at the tunnel interface:
R1#show interfaces Tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 12.12.12.1/24
MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 192.168.12.1, destination 192.168.12.2
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1438 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "IPSEC_PROFILE")
The output above is useful. It tells me the tunnel interface is up and running, that it’s using IPSec and it shows us the IPSec profile. Let’s take a closer look at the IPSec session:
Hello Yuta
Each of the commands you mentioned provide different features for the tunnel. The
tunnel mode ipsec ipv4
command is the one that defines the mode for the tunnel. More specifically, this command enables IPSec encapsulation.The
tunnel protection ip sec profile
command is used to tie in the IPSec profile created earlier. This is where the encryption parameters are defined and applied.It is for this reason that when you removed the
tunnel mode ipsec ipv4
command that the packets are still encrypted.It is possible to have
... Continue reading in our forumtunnel mode gre
which is thHello Yuta
So to reiterate, the tunnel mode ipsec ipv4 command configures the encapsulation. What does that mean? It may help to take a look at what we mean when we say encapsulation.
Now there is the option that I spoke about before, where you can use the following commands:
and the tunnel would be encrypted. This is because the first command deals with encapsulation while the second deals with the encryption.
Now if the commands are as follows:
... Continue reading in our forumHello Yuta
IPSec functions in two modes. Tunnel mode and transport mode. Tunnel mode is when IPSec is the protocol that is used for tunneling and for encapsulation. This is the case when we configure the following:
where the profile as shown in the lesson chooses to use the tunnel mode for IPSec.
Whenever you choose
... Continue reading in our forumtunnel mode ipsec ipv4
it is necessary to include the type of encapsulation mechanisms that you will use by indicating thetunnel protection
command as well. These two commands tHi there,
please, I need a clarification, is it true that we cannot use IPSec with DVTI/VTI and IPSec with crypto-map and access-lists in the same router? Let says we have one hub and two spokes topology, can we configure one spoke with IPSec using VTI and the other spoke with crypto-map and access-lists, then setting up the hub router to handle the two spokes, is it possible?
Within waiting for your insights, I will try to lab this on GNS3.
thanks nice explanation