homeaboutcontacttestimonialsregistercourse scheduleblog            
Cisco Security: Static Virtual Tunnel Interfaces


January 26, 2011
By Steve Means, CCSP, CCNP
, CCSI# 32951

For a pdf of this article: Static Virtual Tunnel Interfaces



Most engineers who have gone through CCSP certification or used the internet as a WAN via VPN tunnels are familiar with IPsec
over GRE. GRE is encrypted by IPsec so that each protocol covers the limitations of the other. Although this allows for dynamic
routing protocols to be used across the IPsec tunnel, the tradeoff is additional packet overhead, up to 24 bytes of it.


A less commonly known but much simpler way to allow dynamic routing over IPsec is through the use of static VTI’s or virtual
tunnel interfaces. Static VTI’s also allow for per tunnel QoS, elimination of crypto ACLs and do away with the GRE header
overhead issue.


The configuration is almost too easy. On the endpoint devices an isakmp policy must match. A transform set is created and is
referenced in an IPsec Profile. A tunnel interface is created with mode ipsec ipv4, it’s given an IP address and a
source/destination. Finally the IPsec profile is referenced to protect the tunnel.

Assuming the tunnel source and destination is valid; the endpoints will attempt to establish an IPsec tunnel. If the isakmp policies and transform sets match, the tunnel will come up. At this point all that remains is to configure a dynamic routing protocol that advertises both the tunnel subnet and any networks that you want protected by the tunnel.

In our example R1 and R2 will each have a matching isakmp policy including pre-shared key. This is not shown for space savings in this short article. R1 is shown below; R2’s config is identical except for the tunnel address, tunnel destination and the networks advertised in EIGRP.

crypto ipsec transform-set VTI esp-aes esp-sha-hmac
crypto ipsec profile VTI
set transform-set VTI
interface Tunnel0
ip address
tunnel source FastEthernet0/0
tunnel destination
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
router eigrp 150
no auto-summary

You’ll know the configuration is working when the tunnels come up, the EIGRP neighbor relationship comes up, and finally when
the network advertised in EIGRP show up in the routing table of the neighbor with a next hop of the tunnel.

R2#sho ip route
D [90/297372416] via, 00:03:51, Tunnel0



375 N. Stephanie Street, Bldg 21 Suite 2111 Henderson, NV 89014
Website: www.ccbootcamp.com Phone: 877.654.2243

For questions or comments about this article please email sales@ccbootcamp.com


CC Bootcamp Twitter
CC Bootcamp Linkedin
Pearson Vue
CONTACT US | TOLL FREE: 1.877.654.2243 or 1.877.NLI.CCIE | INTERNATIONAL: +1.702.968.5100
©2010 Network Learning, Inc. All Rights Reserved.