Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1134
Views
0
Helpful
4
Replies

Status Static Routes into IPSec VTI

Go to solution
j.a.m.e.s
Level 4
Level 4

‎02-23-2023 04:10 PM - last edited on ‎02-28-2023 01:13 AM by Community Manager

I need to create a static ipsec VTI (on ISR4k/IOS-XE) which will connect to a Fortigate at the far end. DPD is switched off at the far side and I don't have any control over it.

The tunnel will have a static route /24 pointing towards it and this will be redistributed into BGP LAN so my internal network can reach it.

What I'm concerned about is that if the tunnel line protocol is down, then surely my static route will also be down. If the static route is down, no route will be injected into BGP and hence no interesting traffic will arrive (from my LAN). The only thing which would bring my route up is if some encrypted traffic arrived from the Fortigate.

Isn't this a "chicken and egg" situation? What is the expected "line protocol" behaviour of an ipsec vti interface?

My config will be as follows:

interface Tunnel1
 description IPSec VTI to Fortigate
 ip address 172.16.0.1 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 1400
 ip tcp adjust-mss 1360
 load-interval 30
 tunnel source 192.168.0.1
 tunnel mode ipsec ipv4
 tunnel destination 192.168.254.1
 tunnel protection ipsec policy ipv4 CACL-THIRDPARTY-SITEA
 tunnel protection ipsec profile PF-IPSEC-THIRDPARTY
exit
ip route 10.0.0.0 255.255.255.0 Tunnel1 tag 65000 name thirdparty-sitea-overlay

By having "Tunnel1" in the static route, the route will only be in the RIB if the tunnel is up. I didn't have this concern with crypto-maps, but it seems like VTI is the way to go now.

This looks like "RRI" behaviour, but I would like to have the RRI nailed up the whole time.

Thanks in advance for any pointers.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎02-23-2023 04:25 PM - last edited on ‎02-28-2023 01:15 AM by Community Manager 

Vti is route vpn not policy vpn

So there traffic to encrypt or not always the tunnel is up as long as the tunnel destination is reachable.

0 Helpful

Go to solution
j.a.m.e.s
Level 4
Level 4

‎02-23-2023 04:31 PM

always the tunnel is up as long as the tunnel destination is reachable

Thanks but what do you mean by the "tunnel destination is reachable"? Do you mean as long as it's pingable via ICMP, or did you mean reachable in the RIB?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to j.a.m.e.s

‎02-23-2023 04:39 PM

Reachable in RIB.

0 Helpful

Go to solution
j.a.m.e.s
Level 4
Level 4

‎02-24-2023 07:51 AM

Thanks very much, that looks right based on what I'm seeing. The only thing I would add is that the tunnel source also needs to be up - for example if you use an HSRP virtual ip as the SRC, it must be active locally not standby. This is quite good and it means the tunnel is (almost) always line protocol up.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card