IPSec Static Virtual Tunnel Interface

IPSec VTIs (Virtual Tunnel Interface) is a newer method to configure site-to-site IPSec VPNs. It’s a simpler method to configure VPNs, it uses a tunnel interface, and you don’t have to use any pesky access-lists and a crypto-map anymore to define what traffic to encrypt.


Let’s look at an example. I use the following topology:

Ipsec Vti Tunnel Interface Topology

R1 and R2 are the two routers that will be used for the site-to-site IPSec VPN. I will manually configure the tunnel and endpoints, so this will be a static virtual tunnel interface. H1 and H2 are used to test the tunnel.

Let’s start with R1:


Let’s start with the IPSec phase 1 configuration:

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2

And configure our remote neighbor (R2):

R1(config-isakmp)#crypto isakmp key MY_PASSWORD address

Now we can configure phase 2:

R1(config)#crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac 
R1(cfg-crypto-trans)#mode tunnel
R1(config)#crypto ipsec profile IPSEC_PROFILE
R1(ipsec-profile)#set transform-set MY_TRANSFORM_SET

This part is much simpler…you only have to create a transform-set and a crypto IPSec profile. The crypto IPSec profile refers to the transform-set. You don’t have to create a crypto-map anymore and apply it to the outside interface.

Now we combine everything on the tunnel interface:

R1(config)#interface Tunnel 0
R1(config-if)#ip address
R1(config-if)#tunnel source
R1(config-if)#tunnel destination
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile IPSEC_PROFILE

The configuration of the tunnel interface is similar to a regular GRE tunnel. We set a source and destination IP address. The tunnel mode, however, is IPSec IPv4 and we have to add our IPSec profile.

Last but not least, make sure you have a route that points to the subnet on the other side. The destination is the tunnel interface:

R1(config)#ip route Tunnel0

That’s all we need.


The configuration of R2 is exactly the same except for the IP addresses:

R2(config)#crypto isakmp policy 1
R2(config-isakmp)# encryption aes
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)#crypto isakmp key MY_PASSWORD address 
R2(config)#crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac 
R2(cfg-crypto-trans)# mode tunnel
R2(config)#crypto ipsec profile IPSEC_PROFILE
R2(ipsec-profile)# set transform-set MY_TRANSFORM_SET 
R2(config)#interface Tunnel0
R2(config-if)# ip address
R2(config-if)# tunnel source
R2(config-if)# tunnel destination
R2(config-if)# tunnel mode ipsec ipv4
R2(config-if)# tunnel protection ipsec profile IPSEC_PROFILE
R2(config)#ip route Tunnel0

That’s all there is to it.


Let’s see if this works! We will start with a quick ping:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/24/37 ms

This ping is promising. Remember that the static routes on R1 and R2 point to the tunnel interface so this at least tells me it’s probably working. Let’s take a closer look at the tunnel interface:

R1#show interfaces Tunnel 0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is
  MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source, destination
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1438 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "IPSEC_PROFILE")

The output above is useful. It tells me the tunnel interface is up and running, that it’s using IPSec and it shows us the IPSec profile. Let’s take a closer look at the IPSec session:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 735 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

512 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hello Yuta

    Each of the commands you mentioned provide different features for the tunnel. The tunnel mode ipsec ipv4 command is the one that defines the mode for the tunnel. More specifically, this command enables IPSec encapsulation.

    The tunnel protection ip sec profile command is used to tie in the IPSec profile created earlier. This is where the encryption parameters are defined and applied.

    It is for this reason that when you removed the tunnel mode ipsec ipv4 command that the packets are still encrypted.

    It is possible to have tunnel mode gre which is th

    ... Continue reading in our forum

  2. Hello Yuta

    So to reiterate, the tunnel mode ipsec ipv4 command configures the encapsulation. What does that mean? It may help to take a look at what we mean when we say encapsulation.

    Now there is the option that I spoke about before, where you can use the following commands:

    tunnel mode gre
    tunnel protection ipsec profile profile_name

    and the tunnel would be encrypted. This is because the first command deals with encapsulation while the second deals with the encryption.

    Now if the commands are as follows:

    tunnel mode ipsec ipv4
    tunnel protection ipsec pro
    ... Continue reading in our forum

  3. Hello Yuta

    IPSec functions in two modes. Tunnel mode and transport mode. Tunnel mode is when IPSec is the protocol that is used for tunneling and for encapsulation. This is the case when we configure the following:

    tunnel mode ipsec ipv4
    tunnel protection ipsec profile profile_name

    where the profile as shown in the lesson chooses to use the tunnel mode for IPSec.

    Whenever you choosetunnel mode ipsec ipv4 it is necessary to include the type of encapsulation mechanisms that you will use by indicating the tunnel protection command as well. These two commands t

    ... Continue reading in our forum

  4. Hi there,
    please, I need a clarification, is it true that we cannot use IPSec with DVTI/VTI and IPSec with crypto-map and access-lists in the same router? Let says we have one hub and two spokes topology, can we configure one spoke with IPSec using VTI and the other spoke with crypto-map and access-lists, then setting up the hub router to handle the two spokes, is it possible?
    Within waiting for your insights, I will try to lab this on GNS3.

  5. thanks nice explanation :grinning:

26 more replies! Ask a question or join the discussion by visiting our Community Forum