Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3185
Views
0
Helpful
2
Replies

Setting up VPN with Virtual-Template vs Map

Bernard.Luksich
Level 1
Level 1

‎10-09-2012 10:58 AM - edited ‎03-04-2019 05:48 PM

We have just completed configuring a VPN connection on our Cisco 1941 router for offsite clients running Cisco's VPN Client.  We followed a configuration pattern from a Cisco article and the VPN Clients seem to be working well.  However, the configuration setup was quite a bit different than our older router.

In particular, we are now using a "Virtual-Template" interface as the way to connect the VPN configuration to the "GigabitEthernet" interface that is connected to the public Internet.

Previously, the old router had a "crypto map" configured on the public Internet connection.  It then used a "crypto map" to configure the parameters.  There was no " Virtual-Template" used at all.

Since these two methods seem so different, we wanted some advice on which one is "correct".  Or is there some reason for one method over the other?  Why chose one way over the other?  Are we making a mistake?

Any comments or advice on this would be greatly appreciated.

Labels:
0 Helpful
2 Replies 2

Craig Sposito
Level 1
Level 1

‎12-05-2012 12:32 PM

I have been searching for the answer to your same question when I came accross this post. From what I have gathered so far the Virtual-Template seems to be a newer way of configuring the VPN and is prefered by a lot of people. It seems to be more flexible giving you more features. I hope someone with more experience with both VPN configurations will reply to you as I am interested to hear what they have to say. I have been setting most of mine up using the crypto map because I have had issues with the Virtual-Template configurations where sometimes it drops the connection and also have seen it where it only allows 1 person to connect. Those configurations were always done by some automatic configuration or someone else set it up so maybe it was always done wrong but with all the configurations I have seen the Virtual-Template is suppose to be easier to setup.

Here is a link from Cisco about the Virtual-Templates:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-2mt/sec-ipsec-virt-tunnl.html#GUID-D1E7EC5D-72C7-4CFC-99EE-877EDFB11F04

Have others experienced issues with the VTI dropping connections and what is a good troubleshooting step to take if that does happen? Currently if I take control of the device to fix these problems I have been moving them over to crypto map, but if what I read is true and VTI is better then I would like to persue in the future to set my VPN up using VTI.

Thanks,

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Craig Sposito

‎12-05-2012 02:09 PM

The original post asks the question of which method is "correct" and the answer really is that both are correct.

Both methods work just fine and produce similar results. Craig is correct that the crypto map is the older more traditional approach and the VTI or tunnel protect or Virtual Template is the more recent approach. The configuration is a bit more complex (and longer) with the crypto map. Many of us like the VTI because it does simplify the configuration.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card