You are here: Home » Cisco » CCIE Routing & Switching Written

IPSec Static Virtual Tunnel Interface

IPSec VTIs (Virtual Tunnel Interface) is a newer method to configure site-to-site IPSec VPNs. It’s a simpler method to configure VPNs, it uses a tunnel interface, and you don’t have to use any pesky access-lists and a crypto-map anymore to define what traffic to encrypt.

Configuration

Let’s look at an example. I use the following topology:

R1 and R2 are the two routers that will be used for the site-to-site IPSec VPN. I will manually configure the tunnel and endpoints, so this will be a static virtual tunnel interface. H1 and H2 are used to test the tunnel.

Let’s start with R1:

R1

Let’s start with the IPSec phase 1 configuration:

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2

And configure our remote neighbor (R2):

R1(config-isakmp)#crypto isakmp key MY_PASSWORD address 192.168.12.2

Now we can configure phase 2:

R1(config)#crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac 
R1(cfg-crypto-trans)#mode tunnel

R1(config)#crypto ipsec profile IPSEC_PROFILE
R1(ipsec-profile)#set transform-set MY_TRANSFORM_SET

This part is much simpler…you only have to create a transform-set and a crypto IPSec profile. The crypto IPSec profile refers to the transform-set. You don’t have to create a crypto-map anymore and apply it to the outside interface.

Now we combine everything on the tunnel interface:

R1(config)#interface Tunnel 0
R1(config-if)#ip address 12.12.12.1 255.255.255.0
R1(config-if)#tunnel source 192.168.12.1
R1(config-if)#tunnel destination 192.168.12.2
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile IPSEC_PROFILE

The configuration of the tunnel interface is similar to a regular GRE tunnel. We set a source and destination IP address. The tunnel mode, however, is IPSec IPv4 and we have to add our IPSec profile.

Last but not least, make sure you have a route that points to the subnet on the other side. The destination is the tunnel interface:

R1(config)#ip route 192.168.2.0 255.255.255.0 Tunnel0

That’s all we need.

R2

The configuration of R2 is exactly the same except for the IP addresses:

R2(config)#crypto isakmp policy 1
R2(config-isakmp)# encryption aes
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2

R2(config-isakmp)#crypto isakmp key MY_PASSWORD address 192.168.12.1

R2(config)#crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac 
R2(cfg-crypto-trans)# mode tunnel

R2(config)#crypto ipsec profile IPSEC_PROFILE
R2(ipsec-profile)# set transform-set MY_TRANSFORM_SET

R2(config)#interface Tunnel0
R2(config-if)# ip address 12.12.12.2 255.255.255.0
R2(config-if)# tunnel source 192.168.12.2
R2(config-if)# tunnel destination 192.168.12.1
R2(config-if)# tunnel mode ipsec ipv4
R2(config-if)# tunnel protection ipsec profile IPSEC_PROFILE

R2(config)#ip route 192.168.1.0 255.255.255.0 Tunnel0

That’s all there is to it.

Verification

Let’s see if this works! We will start with a quick ping:

H1#ping 192.168.2.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/24/37 ms

This ping is promising. Remember that the static routes on R1 and R2 point to the tunnel interface so this at least tells me it’s probably working. Let’s take a closer look at the tunnel interface:

R1#show interfaces Tunnel 0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 12.12.12.1/24
  MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 192.168.12.1, destination 192.168.12.2
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1438 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "IPSEC_PROFILE")

The output above is useful. It tells me the tunnel interface is up and running, that it’s using IPSec and it shows us the IPSec profile. Let’s take a closer look at the IPSec session:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
Full Access to our 613 Lessons. More Lessons Added Every Week!
Content created by Rene Molenaar (CCIE #41726)

Give Membership a try – it’s just $1 ►

418 New Members signed up the last 30 days!

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Previous Lesson
IPsec Encrypted GRE

Next Lesson
IPSec Dynamic VTI Virtual Tunnel Interface

Tags: IPSec, Security

Forum Replies

michmoor says:

November 17, 2017

In my lab , GNS3, running the command “tunnel mode ipsec ipv4” actually breaks VTI. I am unable to pass traffic . Once i remove that piece and keep the tunnel protection command then my VPN comes up. Do you know why?

I am running C7200-ADVENTERPRISEK9-M code.

Running a packet capture i see that traffic is indeed encrypted (ESP) over my “wan”.
hengsovandara1345 says:

December 17, 2017
Hi Rene
If i have 3 routers and like A B C and i want to create IPsec Virtual Tunnel Interface between A and C. As i see your configuration.
```
R2(config-if)# tunnel source 192.168.12.2
R2(config-if)# tunnel destination 192.168.12.1
```
In my case I have router B in the middle so tunnel source and tunnel destination will not be in the same network. Is it ok about that ?
Thank u.
Sovandara
chrisnewnham17 says:

March 22, 2018

Hi Rene

Do you plan on doing a dynamic example also, using Virtual Access and Virtual Templates?
chrisnewnham17 says:

March 24, 2018

Not quite, I meant like this:

You have to create a virtual tunnel interface and use an unnumbered IP.
ReneMolenaar says:

April 4, 2018

Hi Chris,

I just published a lesson where I use dynamic VTI on the hub and static VTIs on two spokes:

NetworkLessons.com – 4 Apr 18
IPSec VTI Virtual Tunnel Interface | NetworkLessons.com

In this lesson, you will learn how to configure DVTIs (Dynamic Virtual Tunnel Interface) on a hub router and static VTI on spoke routers. This is a great way to create a scalable hub and spoke IPSec topology.

Rene

3 more replies! Ask a question or join the discussion by visiting our Community Forum