Showing results for 
Search instead for 
Did you mean: 

Status Static Routes into IPSec VTI

Level 3
Level 3

I need to create a static ipsec VTI (on ISR4k/IOS-XE) which will connect to a Fortigate at the far end. DPD is switched off at the far side and I don't have any control over it.

The tunnel will have a static route /24 pointing towards it and this will be redistributed into BGP LAN so my internal network can reach it.

What I'm concerned about is that if the tunnel line protocol is down, then surely my static route will also be down. If the static route is down, no route will be injected into BGP and hence no interesting traffic will arrive (from my LAN). The only thing which would bring my route up is if some encrypted traffic arrived from the Fortigate.

Isn't this a "chicken and egg" situation? What is the expected "line protocol" behaviour of an ipsec vti interface?

My config will be as follows:

interface Tunnel1
 description IPSec VTI to Fortigate
 ip address
 no ip redirects
 no ip proxy-arp
 ip mtu 1400
 ip tcp adjust-mss 1360
 load-interval 30
 tunnel source
 tunnel mode ipsec ipv4
 tunnel destination
 tunnel protection ipsec policy ipv4 CACL-THIRDPARTY-SITEA
 tunnel protection ipsec profile PF-IPSEC-THIRDPARTY
ip route Tunnel1 tag 65000 name thirdparty-sitea-overlay

By having "Tunnel1" in the static route, the route will only be in the RIB if the tunnel is up. I didn't have this concern with crypto-maps, but it seems like VTI is the way to go now.

This looks like "RRI" behaviour, but I would like to have the RRI nailed up the whole time.

Thanks in advance for any pointers.

1 Accepted Solution

Accepted Solutions
4 Replies 4

Vti is route vpn not policy vpn

So there traffic to encrypt or not always the tunnel is up as long as the tunnel destination is reachable.

Level 3
Level 3

always the tunnel is up as long as the tunnel destination is reachable

Thanks but what do you mean by the "tunnel destination is reachable"? Do you mean as long as it's pingable via ICMP, or did you mean reachable in the RIB?

Reachable in RIB.

Level 3
Level 3

Thanks very much, that looks right based on what I'm seeing. The only thing I would add is that the tunnel source also needs to be up - for example if you use an HSRP virtual ip as the SRC, it must be active locally not standby. This is quite good and it means the tunnel is (almost) always line protocol up.

Review Cisco Networking for a $25 gift card