Cisco IOS – design Site-to-Site IPsec VPNs VTI

 

NIL – Designing Site-to-Site IPsec VPNs – Part 3

 

Static and Dynamic Virtual Tunnel Interfaces (VTIs)

In the first two articles about ways to build site-to-site VPNs using IPsec, we examined the oldest method, using crypto maps, and the same method augmented by GRE tunnels in order to introduce logical interfaces that can be used to enable routing protocols across the tunnel (as an example of one benefit). Virtual tunnel interfaces (VTIs) are a relatively late addition in which there is no need for additional GRE overhead, while still gaining that logical interface that was often missing when deploying IPsec using crypto maps alone.

There are two flavors of VTIs:

Static VTI is very similar to point-to-point GRE implementation using tunnel interfaces.

Dynamic VTI is very similar to dial-in implementation using virtual templates, from which individual virtual-access interfaces are spawned.

Listing 1

Example: Static VTIs at both ends

!

crypto isakmp key mtt3rvLBO3jCoV50zoE address 192.168.1.2

!

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 hash sha

!

crypto ipsec transform-set TS esp-des esp-sha-hmac

!

crypto ipsec profile IPsecP

 set transform-set TS

!

interface Serial0

 ip address 192.168.1.1 255.255.255.252

!

interface Tunnel0

 ip address 10.1.1.1 255.255.255.252

 ip mtu 1300

 tunnel source Serial0

 tunnel destination 192.168.2.1

 tunnel protection ipsec profile IP

 tunnel mode ipsec ipv4

!

ip route 0.0.0.0 0.0.0.0 Serial0

ip route 10.0.0.0 255.0.0.0 Tunnel0

!

Listing 2

Example: Dynamic VTIs

!

crypto keyring WPSK

  pre-shared-key address 0.0.0.0 0.0.0.0 key rvH0cnVLUGe8naVY

!

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp profile DVTI

 keyring WPSK

 match identity address 0.0.0.0

 virtual-template 1

!

crypto ipsec transform-set TS esp-3des esp-sha-hmac

!

crypto ipsec profile VTI

 set transform-set TS

!

interface Virtual-Template1 type tunnel

 ip unnumbered Loopback0

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile VTI

Listing 3

Example: Static VTIs for central dynamic VTIs

!

crypto keyring WPSK

  pre-shared-key address 0.0.0.0 0.0.0.0 key rvH0cnVLUGe8naVY

!

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

!

crypto ipsec transform-set TS esp-3des esp-sha-hmac

!

crypto ipsec profile VTI

 set transform-set TS

!

interface Tunnel0

 ip unnumbered Loopback0

 tunnel source FastEthernet0/0

 tunnel destination 192.168.1.1

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile VTI

Listing 4

Example: Monitoring Dynamic VTIs for remote static VTIs

!

R1# show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            192.168.1.1     YES NVRAM  up                    up

FastEthernet0/1            unassigned      YES NVRAM  administratively down down

SSLVPN-VIF0                unassigned      NO  unset  up                    up

Virtual-Access1            unassigned      YES unset  down                  down

Virtual-Template1          10.1.1.1        YES TFTP   down                  down

Virtual-Access2            10.1.1.1        YES TFTP   up                    up

Virtual-Access3            10.1.1.1        YES TFTP   up                    up

Loopback0                  10.1.1.1        YES NVRAM  up                    up

Loopback1                  10.100.1.1      YES manual up                    up

R1# show crypto ipsec sa

interface: Virtual-Access3

    Crypto map tag: Virtual-Access3-head-0, local addr 192.168.1.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 192.168.1.3 port 500

     PERMIT, flags={origin_is_acl,}

This entry was posted in Cisco and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s