Skip to Content

VPN Virtual Tunnel Interfaces

VTI.gif

While doing a recent deployment, I ran across this concept. It's a
slightly different way to configure VPNs on a Cisco router that (for me)
is far less confusing and finicky. If you've ever configured VPNs using
a PIX firewall or IOS router, you probably know of the pain associated
with making sure your crypto map is correctly configured. There are SO
MANY pieces of it, you're almost assured that something is not going to
match between one side of the connection and the other (especially that
"interesting traffic" ACL). That's where these IPSec Virtual Tunnel
Interfaces come in. Check this out...

Instead of configuring crypto maps between your routers, you create
virtual interfaces. So the VPN has it's own "point-to-point" style
connection between sites. The best way to get this is to see a
configuration example. I borrowed the syntax / graphic for this example
from Richard Deal's Complete Cisco VPN Configuration Guide by Cisco Press

(awesome book, by the way).

RouterA Configuration:
RTRA(config)# crypto isakmp policy 10
RTRA(config-isakmp)# encryption aes 128
RTRA(config-isakmp)# hash sha
RTRA(config-isakmp)# authentication pre-share
RTRA(config-isakmp)# group 2
RTRA(config-isakmp)# exit
RTRA(config)# crypto isakmp key cisco123 address 193.1.1.1 255.255.255.255 no-xauth
RTRA(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
RTRA(cfg-crypto-trans)# exit
RTRA(config)# crypto ipsec profile VTI
RTRA(ipsec-profile)# set transform-set RTRtran
RTRA(ipsec-profile)# exit
RTRA(config)# interface tunnel 0
RTRA(config-if)# ip address 192.168.3.1 255.255.255.0
RTRA(config-if)# tunnel source 192.1.1.1
RTRA(config-if)# tunnel destination 193.1.1.1
RTRA(config-if)# tunnel mode ipsec ipv4
RTRA(config-if)# tunnel protection ipsec VTI
RTRA(config)# interface Ethernet0/0
RTRA(config-if)# ip address 192.1.1.1 255.255.255.0
RTRA(config-if)# exit
RTRA(config)# interface Ethernet 1/0
RTRA(config-if)# ip address 192.168.1.1 255.255.255.0
RTRA(config-if)# exit
RTRA(config)# ip route 192.168.2.0 255.255.255.0 tunnel0
RouterB Configuration:
RTRB(config)# crypto isakmp policy 10
RTRB(config-isakmp)# encryption aes 128
RTRB(config-isakmp)# hash sha
RTRB(config-isakmp)# authentication pre-share
RTRB(config-isakmp)# group 2
RTRB(config-isakmp)# exit
RTRB(config)# crypto isakmp key cisco123 address 192.1.1.1 255.255.255.255 no-xauth
RTRB(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
RTRB(cfg-crypto-trans)# exit
RTRB(config)# crypto ipsec profile VTI
RTRB(ipsec-profile)# set transform-set RTRtran
RTRB(ipsec-profile)# exit
RTRB(config)# interface tunnel 0
RTRB(config-if)# ip address 192.168.3.2 255.255.255.0
RTRB(config-if)# tunnel source 193.1.1.1
RTRB(config-if)# tunnel destination 192.1.1.1
RTRB(config-if)# tunnel mode ipsec ipv4
RTRB(config-if)# tunnel protection ipsec VTI
RTRB(config)# interface Ethernet0/0
RTRB(config-if)# ip address 193.1.1.1 255.255.255.0
RTRB(config-if)# exit
RTRB(config)# interface Ethernet 1/0
RTRB(config-if)# ip address 192.168.2.1 255.255.255.0
RTRB(config-if)# exit
RTRB(config)# ip route 192.168.1.0 255.255.255.0 tunnel0

The configuration is pretty straightforward, especially if you've
configured GRE tunnels before. The difference is you use the "tunnel
mode ipsec ipv4" command to notify the router that this is an
IPSec-based interface rather than GRE and the "tunnel protection ipsec" command to choose the type of encryption (transform-set) for the interface.

The best part of the whole thing is NO CRYPTO MAPS!!! :) I love it -
traffic is associated with a remote site using "ip route" static routes
rather than mirrored ACLs. Awesome stuff!

Your rating: None Average: 4 (1 vote)

Comments

Nice post, Jeremy. This is a

Nice post, Jeremy. This is a neat case for using virtual tunnel interfaces with IPsec. Do you know when the "crypto ipsec profile VTI" command was introduced? I checked http://www.cisco.com/univercd, and couldn't determine the earliest version of IOS that has the VTI argument.
Thanks!
-Jeremy

Thanks for useful post!

Thanks for useful post!

Once again Jeremy you deliver

Once again Jeremy you deliver top notch material. I have been using your CBT based materials for years now and each time your lab exercises help the "penny drop". Thanks once again.

I wonder if building an

I wonder if building an interface for VPN's, will allow us to start using OSPF, since the Tunnel now has "link state"?
Even though IPSec won't allow you to multicast, you should still be able to configure OSPF at the other side, wouldn't you think?
Hmmmmm
Good Post.

Yup - even OSPF works across

Yup - even OSPF works across it. The GRE tunnel allows it (along with all MCast traffic). IPSec is just used for the security features (encrypt/hash/etc) on top if it.

Thanks for the great post. I

Thanks for the great post. I would like to add that when implementing the command:
crypto isakmp key cisco123 address 192.1.1.1 255.255.255.255 no-xauth
make sure that immediately following the word key you add in a 0 which specifies that following the 0 will be your plain text key. This hung me up for like a day. it shows up in IOS help, but not in any config documentation...as when you actually implement it, in the config that 0 does not show up either.

Trying to do this setup

Trying to do this setup between a 870 and a 2800.
The tunnel comes up fine if I run in tunnelmode, but when changing to
ENCRYPT-3DES esp-3des esp-md5-hmac
mode transport require
The tunnel never comes up, any ideas?

Joe; only tunnel mode is

Joe; only tunnel mode is supported; transport mode is not working in this kind of config.
by the way; I can pass EIGRP through the tunnel; any ideas?

Jeremy, I watched this setup

Jeremy,
I watched this setup in your ISCW nuggets but you only showed it from the SDM tool. So seeing this command line was great since I just had to try it. Well I ran into 1 error from above, easy catch:
RTRA(config-if)# tunnel protection ipsec VTI
needed the profile before the VTI. So I corrected that, but still had no luck pinging from LAN A to LAN B. When I did a show isakmp I seen the QM-Idle which from what I remember means the tunnel is established. I did not setup any routing protocols yet. Could this have been the reason?
Thanks
Dave

Yeah, nice configuration but

Yeah, nice configuration but take care to Qos and high availability limitations and other issues !!!

I setup the VPN tunnel

I setup the VPN tunnel interface between two Cisco 1841 routers. These routers require the command:
tunnel protection ipsec profile VTI
After getting everything setup and working, I tested the configuration by sniffing the interface traffic (fa0/1 in my case). I was surprised to see that there is traffic coming straight into the interface that's not encrypted and getting responses from my internal network. I tried putting in an access list that would only receive traffic from the other side of the VPN (the tunnel IPs) and it blocks everything...
I could write a very specific access-list for each side of the tunnel, but this seems to be more difficult than using the crypto maps. Has anyone else tested this configuration and seen the same results? If so, how have you blocked the unencrypted traffic from coming into your network?
Thanks,
Don

I setup the configuration

I setup the configuration based on the configuration on this page. When sniffing the Internet interface, I see unencrypted packets on the network and can ping a server located inside my network. To test this, using the IP addreses above, setup a sniffer with the IP of 192.1.1.2 and put it on the E0/0 interface. Apparently, the router puts priority on acting as a router and not as an IPSEC gateway.
I've tried to block anything outside of the remote end of the VPN using access lists, but my access list turns out to be worse than building the crypto maps. I cannot simply permit both IP addresses on both ends of the VPN (192.168.3.1 and 192.168.3.2) or the ethernet interface (192.1.1.1 and 193.1.1.1). It looks like I have to include 192.168.2.0 and 192.168.1.0 in this scenario and possibly 192.168.3.0.
Has anyone else done this type of troubleshooting to see how to resolve this problem with the VPN?
Thanks,
Don

With the above configuration,

With the above configuration, do you need to specify IP addresses for the tunnel interface?
ie. We are trying to setup a VPN between an 1841 and a 7206. The company with the 7200 series will not supply a config. I do not want any ip addressing on the GRE tunnel, just a straight tunnel to access the remote network

We need to configure two

We need to configure two sites of our office through router by using VPN tunnel. Also we want access the internet on both sides.

need it

need it

Excellent config. worked like

Excellent config. worked like a charm

Hi Jeremy. This is very

Hi Jeremy. This is very helpful, In fact I am working on a project which has quite similar setup. Basically, they have existing MPLS link and need to setup a virtual tunnel interface. The MPLS should be the primary link and the VTI will serve as a backup. Failover will be based from the BGP routing table. Can this work using BGP? Does it advertise BGP routes across the link? They do have an L3 switch inside the LAN and this should also participate in propagating BGP routes. The L3 switch should decide which link to use e.g. MPLS went down, L3 will tell the rest to use VTI to reach remote routers.
MPLS Router ----[LAN with L3 Switch]-----Internet Router.
We will terminate VTI using internet router. L3 must learn the routes from both MPLS and Internet routes so as to understand which link to go whenever one becomes unavailable and in turn must fall back when primary link (MPLS) come back up. Is this possible/feasible? Any suggestion? Thank you

Hi Jeremy. Config is very

Hi Jeremy. Config is very clean and quick. However I got a problem.
At the moment I am using your config on 2 cisco 877. The tunnel light is up and I can only ping router B from within router A. But I can't ping router B from a computer on router A network.
Thanks,
Quang

Hi Jeremy. All fix, my

Hi Jeremy. All fix, my mistake silly acl rule.
Thanks,
Quang

Hello there Jeremy, I'd like

Hello there Jeremy,
I'd like to thank you for the enlightment of your post and I would also like to take the chance and agree with you on the crypto map issue when your only hooking up non encrypted sites. The fact that you can use static routes to handle all your traffic with tunnel interfaces is most important. You can of course add crypto maps to the tunnel interface and then pul up a helper address with rip v2 to make things funnly automated.
Believe me after 9 hours of working on a vpn project I had to get down to , your post was most helpful.
Thanks once again.
Mario

Would it be possible to share

Would it be possible to share an example where you also have Remote VPN Clients connecting in a sort of Dynamic fashion and keep the L2L tunnels up?
Excellent Info by the way!

Below are two routers. fa0/0

Below are two routers. fa0/0 represents a MPLS-BGP network and fa0/1 represents a ADSL network. When fa0/0 fails at one site then traffic is routed via ADSL-OSPF.
!
version 12.4
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
!
hostname RouterA
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
!
ip tcp path-mtu-discovery
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
!
crypto ipsec profile P1
set transform-set T1
!
!
!
!
!
interface Loopback0
description router A loopback
ip address 10.0.0.1 255.255.255.255
!
interface Tunnel0
description temporary tunnel to other 3745
ip address 10.0.0.13 255.255.255.252
ip ospf mtu-ignore
load-interval 30
tunnel source 10.0.0.9
tunnel destination 10.0.0.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
!
interface FastEthernet0/0
description Ethernet Interface to LapTop
ip address 10.0.0.5 255.255.255.252
no ip redirects
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description Ethernet Interface to other 3745
ip address 10.0.0.9 255.255.255.252
ip access-group 100 in
ip access-group 100 out
no ip redirects
no ip route-cache cef
ip route-cache flow
no ip mroute-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
router ospf 200
log-adjacency-changes
network 10.0.0.1 0.0.0.0 area 0
network 10.0.0.13 0.0.0.0 area 0
distance 254
!
router bgp 1
no synchronization
bgp log-neighbor-changes
network 10.0.0.1 mask 255.255.255.255
neighbor 10.0.0.6 remote-as 1
no auto-summary
!
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ahp any any
access-list 100 permit esp any any
access-list 100 permit udp any eq isakmp any eq isakmp log
no cdp run
!
!
endversion 12.4
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
!
hostname RouterB
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
ip tcp path-mtu-discovery
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
!
crypto ipsec profile P1
set transform-set T1
!
!
interface Loopback0
description router A loopback
ip address 10.0.0.2 255.255.255.255
!
interface Tunnel0
description temporary tunnel to other 3745
ip address 10.0.0.14 255.255.255.252
ip route-cache flow
ip ospf mtu-ignore
load-interval 30
tunnel source 10.0.0.10
tunnel destination 10.0.0.9
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
!
interface FastEthernet0/0
description Ethernet Interface to LapTop
ip address 10.0.0.6 255.255.255.252
no ip redirects
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description Ethernet Interface to other 3745
ip address 10.0.0.10 255.255.255.252
ip access-group 100 in
ip access-group 100 out
no ip redirects
no ip route-cache cef
ip route-cache flow
no ip mroute-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
router ospf 200
log-adjacency-changes
network 10.0.0.2 0.0.0.0 area 0
network 10.0.0.14 0.0.0.0 area 0
distance 254
!
router bgp 1
no synchronization
bgp log-neighbor-changes
network 10.0.0.2 mask 255.255.255.255
neighbor 10.0.0.5 remote-as 1
no auto-summary
!
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ahp any any
access-list 100 permit esp any any
access-list 100 permit udp any eq isakmp any eq isakmp log
no cdp run
!
end

Awesome quick tutorial. I

Awesome quick tutorial. I would like to know it is possible to setup a bridged VPN so that the clients on the other ends are on the same subnet. This would be useful for gaming.

How-do-you-do, just needed

How-do-you-do, just needed you to know I have added your site to my Google bookmarks because of your extraordinary blog layout. But in earnest, I think your site has one of the cleanest theme I've came across. It really helps make reading your blog a lot easier.

I also think this post is

I also think this post is very good!! However, when I type the "tunnel mode ipsec ipv4" line within the Tunnel interface, it immediately goes to "Down" state (line protocol Down). Has any of you guys have experienced that before?
I think I might be missing something so the interfaces stays up.
Thank you very much in advance! Best regards

Hi, thanks for that cool

Hi, thanks for that cool stuff.
I think I have found a small mistake, my IOS throws an error when I try to execute this command:
RTRA(config-if)# tunnel protection ipsec VTI
Instead it wants to do it like this:
RTRA(config-if)# tunnel protection ipsec profile VTI
Maybe little differences between the IOS versions?

Dynamic Destination

Hi Jeremy

Sorry to dig up this old blog post but I am having a problem finding any documentation to help solve my problem.

I have a Cisco Router acting as a "HUB" and I have a few remote offices acting as "SPOKES". Sadly these spokes are non-cisco routers and do not support DMVPN.

As these SPOKES have dynamic public IP address I need a way on the HUB router to allow a destination of "ANY" on the VTI for a GRE tunnel.

Could you tell me if this is even possible?

Kind regards,



Dr. Radut | blog