You are here: Home » Cisco » CCIE Routing & Switching Written

IPSec Static Virtual Tunnel Interface

IPSec VTIs (Virtual Tunnel Interface) is a newer method to configure site-to-site IPSec VPNs. It’s a simpler method to configure VPNs, it uses a tunnel interface, and you don’t have to use any pesky access-lists and a crypto-map anymore to define what traffic to encrypt.

Configuration

Let’s look at an example. I use the following topology:

R1 and R2 are the two routers that will be used for the site-to-site IPSec VPN. I will manually configure the tunnel and endpoints, so this will be a static virtual tunnel interface. H1 and H2 are used to test the tunnel.

Let’s start with R1:

R1

Let’s start with the IPSec phase 1 configuration:

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2

And configure our remote neighbor (R2):

R1(config-isakmp)#crypto isakmp key MY_PASSWORD address 192.168.12.2

Now we can configure phase 2:

R1(config)#crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac 
R1(cfg-crypto-trans)#mode tunnel

R1(config)#crypto ipsec profile IPSEC_PROFILE
R1(ipsec-profile)#set transform-set MY_TRANSFORM_SET

This part is much simpler…you only have to create a transform-set and a crypto IPSec profile. The crypto IPSec profile refers to the transform-set. You don’t have to create a crypto-map anymore and apply it to the outside interface.

Now we combine everything on the tunnel interface:

R1(config)#interface Tunnel 0
R1(config-if)#ip address 12.12.12.1 255.255.255.0
R1(config-if)#tunnel source 192.168.12.1
R1(config-if)#tunnel destination 192.168.12.2
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile IPSEC_PROFILE

The configuration of the tunnel interface is similar to a regular GRE tunnel. We set a source and destination IP address. The tunnel mode, however, is IPSec IPv4 and we have to add our IPSec profile.

Last but not least, make sure you have a route that points to the subnet on the other side. The destination is the tunnel interface:

R1(config)#ip route 192.168.2.0 255.255.255.0 Tunnel0

That’s all we need.

R2

The configuration of R2 is exactly the same except for the IP addresses:

R2(config)#crypto isakmp policy 1
R2(config-isakmp)# encryption aes
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2

R2(config-isakmp)#crypto isakmp key MY_PASSWORD address 192.168.12.1

R2(config)#crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac 
R2(cfg-crypto-trans)# mode tunnel

R2(config)#crypto ipsec profile IPSEC_PROFILE
R2(ipsec-profile)# set transform-set MY_TRANSFORM_SET

R2(config)#interface Tunnel0
R2(config-if)# ip address 12.12.12.2 255.255.255.0
R2(config-if)# tunnel source 192.168.12.2
R2(config-if)# tunnel destination 192.168.12.1
R2(config-if)# tunnel mode ipsec ipv4
R2(config-if)# tunnel protection ipsec profile IPSEC_PROFILE

R2(config)#ip route 192.168.1.0 255.255.255.0 Tunnel0

That’s all there is to it.

Verification

Let’s see if this works! We will start with a quick ping:

H1#ping 192.168.2.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/24/37 ms

This ping is promising. Remember that the static routes on R1 and R2 point to the tunnel interface so this at least tells me it’s probably working. Let’s take a closer look at the tunnel interface:

R1#show interfaces Tunnel 0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 12.12.12.1/24
  MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 192.168.12.1, destination 192.168.12.2
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1438 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "IPSEC_PROFILE")

The output above is useful. It tells me the tunnel interface is up and running, that it’s using IPSec and it shows us the IPSec profile. Let’s take a closer look at the IPSec session:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
Full Access to our 644 Lessons. More Lessons Added Every Week!
Content created by Rene Molenaar (CCIE #41726)

Give Membership a try - it's just $1 ►

482 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Previous Lesson
IPsec Encrypted GRE

Next Lesson
IPSec Dynamic VTI Virtual Tunnel Interface

Tags: IPSec, Security

Forum Replies

chrisnewnham17 says:

Not quite, I meant like this:

You have to create a virtual tunnel interface and use an unnumbered IP.
ReneMolenaar says:

Hi Chris,

I just published a lesson where I use dynamic VTI on the hub and static VTIs on two spokes:

https://networklessons.com/cisco/ccie-routing-switching-written/ipsec-vti-virtual-tunnel-interface/

Rene
lagapides says:
Hello Yuta

So to reiterate, the tunnel mode ipsec ipv4 command configures the encapsulation. What does that mean? It may help to take a look at what we mean when we say encapsulation.

Now there is the option that I spoke about before, where you can use the following commands:
```
tunnel mode gre
tunnel protection ipsec profile profile_name
```
and the tunnel would be encrypted. This is because the first command deals with encapsulation while the second deals with the encryption.

Now if the commands are as follows:
```
tunnel mode ipsec ipv4
tunnel protection ipsec pro
```
... Continue reading in our forum
yuta0523 says:

Hi Laz,

Thank you for the explanation.
Please correct me if I am misunderstanding here. If the encapsulation is ipsec, then it means encrypting the original packets twice one with “tunel mode ipsec ipv4” and then “tunnel protection” command for second encryption while if we choose to use gre as encapsulation encryption is done on the whole gre and original packets?

Also would you please teach me how to decide which encapsulation type we should be using?

Regards,

Yuta
lagapides says:
Hello Yuta

IPSec functions in two modes. Tunnel mode and transport mode. Tunnel mode is when IPSec is the protocol that is used for tunneling and for encapsulation. This is the case when we configure the following:
```
tunnel mode ipsec ipv4
tunnel protection ipsec profile profile_name
```
where the profile as shown in the lesson chooses to use the tunnel mode for IPSec.

Whenever you choosetunnel mode ipsec ipv4 it is necessary to include the type of encapsulation mechanisms that you will use by indicating the tunnel protection command as well. These two commands t
... Continue reading in our forum

15 more replies! Ask a question or join the discussion by visiting our Community Forum