Showing results for 
Search instead for 
Did you mean: 

Router: IOS SSLVPN with Virtual-Template and VRF Example


Reference document for adding a Virtual-Template Interface (VTI) and an IVRF to SSLVPN on an IOS router. This example was based off of 15.1(3)T code and assumes there is a working SSLVPN config in place prior to the addition of Virtual Templates and IVRF.

Define the IVRF

     ip vrf forwarding

    vrf definition vrf1

      rd 1:2

      route-target export 1:2

      route-target import 1:2

Apply the VRF to the "inside" interface.

Note: After you add the VRF command, make sure you reapply the IP address to the interface

     interface GigabitEthernet0/1

      description inside interface

      vrf forwarding vrf1

      ip address

Create the Virtual-Template and apply the VRF to this interface

     interface Virtual-Template1

      description Virtual-Template Interface attached to IVRF vrf1

      vrf forwarding vrf1

      ip unnumbered GigabitEthernet0/1

Add the Virtual Template to the webvpn context.

Note: You should take the context out of service before applying the Virtual-Template and it is not necessary to add the VRF to the webvpn context in 15.x code

     webvpn context context_1

      no inservice

      virtual-template 1


Add a route in the VRF for the internal next hop.

Note: It is not necessary to add a route for the AnyConnect ip pool. It will get added when AnyConnect connects

     ip route vrf Tenant001

This is the AnyConnect ip pool as reference

     ip local pool anyconnect_pool

Connect AnyConnect and verify reachability. There should be a route in the VRF for the AnyConnect address when connected that points to the Virtual-Access interface that was spawned from the Virtual-Template. The vrf and virtual template should show as attached to the context

"show ip route vrf vrf1" output:
S [0/0] via, Virtual-Access2

"sh webvpn context context_1" output:
Admin Status: up
Operation Status: up
Error and Event Logging: Disabled
CSD Status: Disabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List not configured
AAA Authorization List not configured
AAA Accounting List not configured
AAA Authentication Domain not configured
Authentication mode: AAA authentication
Default Group Policy not configured
Associated WebVPN Gateway: gateway_1
Domain Name and Virtual Host not configured
Maximum Users Allowed: 1500 (default)
NAT Address not configured
VRF Name: vrf1
Virtual Template: 1
Virtual Access  : 2