IPSec VTI

From FrogspawnWiki

Jump to: navigation, search

Virtual Tunnel Interfaces (VTIs) are kinda like GRE over IPSec, but *way* cooler. The tunnel interface itself is configured to use IPSec rather than the exit interface. It's much cleaner, and the recommended way to do it.

First create an IKE policy and assign a pre-shared key if using them.. 

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key cisco address 192.168.23.3

Then set up your IPSec transform set 

crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac

Next create an IPSec profile. This is similar in function to a crypto map, but it is applied to an interface so matches all traffic on that interface, whereas a crypto map has a match statement for an acl. 

crypto ipsec profile myprof
 set transform-set mytrans

Now create the tunnel interface. Standard stuff except that you're going to set the mode to ipsec ipv4 and tie the IPSec profile to the interface. 

interface Tunnel0
 ip address 172.16.113.1 255.255.255.0
 tunnel source Serial1/0
 tunnel destination 192.168.23.3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile myprof

The full configuration... 

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key cisco address 192.168.23.3
!
crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac 
!
crypto ipsec profile myprof
 set transform-set mytrans 
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!         
interface Tunnel0
 ip address 172.16.113.1 255.255.255.0
 tunnel source Serial1/0
 tunnel destination 192.168.23.3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile myprof
!         
interface FastEthernet0/0
 ip address 172.16.13.1 255.255.255.0
 duplex auto
 speed auto
!         
interface Serial1/0
 ip address 192.168.12.1 255.255.255.0
 serial restart-delay 0
 clock rate 64000
!
router eigrp 1
 network 172.16.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.12.2
!

And because VTIs support multicast traffic you even get to run dynammic routing over them, without the additional overhead of GRE. Brilliant!

Web Resources

VTI feature guide at cisco.com

Configuring a Virtual Tunnel Interface with IP Security (@cisco.com)

Retrieved from "http://www.frogspawn.net/wiki/IPSec_VTI"
Personal tools