Static Virtual Tunnel Interface (S-VTI) Implementation
Introduction
Static VTI
Configuration
Introduction
As we know the original implementation of IPsec VPNs used on Cisco IOS was known as cryptomaps. The concept of configuring a crypto map was closely aligned to the IPsec protocol, with traffic that was required to be encrypted being defined in an access control list and then assigned the crypto map to the router interface. This configuration could become overly complex, and administrators introduced many errors when long access control lists were used.
Static VTI
Cisco introduced the concept of logical tunnel interfaces. These logical interfaces are basically doing the same as traditional crypto maps but they are user configurable. The attributes used by this logical tunnel interface are referenced from the user-configured IPsec profile used to protect the tunnel. All traffic traversing this logical interface is protected by IPsec. This technique allows for traffic routing to be used to send traffic with the logical tunnel being the next hop and results in simplified configurations with greater flexibility for deployments.
On Cisco routers, every access control entry (ACE) in an access control list (ACL) consumes a ternary content addressable memory (TCAM) entry. TCAM has a limited number of entries. Consequently, crypto map implementations that contain a large number of access control entries and the device TCAM can become exhausted. Tunnel protection uses only a single TCAM entry and allows for a larger number of IPsec security associations to be established compared to using crypto maps.
IPsec tunnels can be set up statically or dynamically using virtual interfaces of type VTI (Virtual-Tunnel Interface) or GRE over IPsec. When you configure native IPsec tunnel encapsulation (IPsec without GRE), a statically configured tunnel interface is often referred to as an sVTI (static VTI).
You can also use dynamic tunnel interfaces. When you configure dynamic interfaces (IPsec tunnel or GRE over IPsec), the tunnel interface is in a responder-only mode and a virtual template as a dVTI (dynamic VTI).
A single site-to-site tunnel is typically sVTI-to-sVTI, while a hub-and-spoke setup is typically sVTI-to-dVTI, with the dVTI on the hub. The tunnel mode command was introduced to simplify IPsec and GRE configurations. In short, VTI (tunnel mode ipsec {ipv4 | ipv6}) carries IPv4 or IPv6 traffic directly within IPsec tunnel mode.
Configuration Example
R1(config)# ip route 192.168.23.0 255.255.255.0 fa0/0
R3(config)# ip route 192.168.12.0 255.255.255.0 fa0/0
R1# ping 192.168.23.3
! ! ! ! !
Steps to configure S-VTI Tunnel
- Create IKE(ISAKMP) Policy Set
- Configure Pre-Shared-Key(PSK)
- Configure IPSec Transform Set
- Configure ipsec profile
- Configure Tunnel Interface
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#hash sha512
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 14
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 6 xxxxxxxx address 192.168.23.3
R1(config)#Crypto ipsec transform-set REMOTE esp-aes 256 esp-sha512-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit
R1(config)# crypto ipsec profile profile-1
R1(ipsec-profile)# set transform-set REMOTE
R1(ipsec-profile)# exit
R1(config)# Interface Tunnel 0
R1(config-if)# ip address 50.50.50.1 255.255.255.0
R1(config-if)#Tunnel Source fa0/0
R1(config-if)#Tunnel destination 192.168.23.3
R1(config-if)#Tunnel mode ipsec ipv4
R1(config-if)# tunnel protection ipsec profile profile-1
R1(config-if)#exit
Now, You’ll see a log message saying…Interface Tunnel 0, change state to up. %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON.
Same way configure R3 Router…
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#hash sha512
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 14
R3(config-isakmp)#lifetime 3600
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#exit
R3(config)#crypto isakmp key 6 xxxxxxxx address 192.168.12.1
R3(config)#Crypto ipsec transform-set REMOTE esp-aes 256 esp-sha512-hmac
R3(cfg-crypto-trans)#mode tunnel
R3(cfg-crypto-trans)#exit
R3(config)# crypto ipsec profile profile-1
R3(ipsec-profile)# set transform-set REMOTE
R3(ipsec-profile)# exit
R3(config)# Interface Tunnel 0
R3(config-if)# ip address 50.50.50.2 255.255.255.0
R3(config-if)#Tunnel Source fa0/0
R3(config-if)#Tunnel destination 192.168.12.1
R3(config-if)#Tunnel mode ipsec ipv4
R3(config-if)# tunnel protection ipsec profile profile-1
R3(config-if)#exit
Now, You’ll see a log message saying…Interface Tunnel 0, change state to up. %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON.
R1# ping 50.50.50.2
! ! ! ! !
Our tunnel is successfully established.Now, to see the communication between loopbacks, configure any routing protocol.. In my case I am going to configure eigrp-100
R1(config)# router eigrp 100
R1(config-router)# network 1.1.1.1 0.0.0.0
R1(config-router)# network 50.50.50.0 0.0.0.255
R1(config-router)# no auto-summary
R1(config-router)#exit
R3(config)# router eigrp 100
R3(config-router)# network 3.3.3.3 0.0.0.0
R3(config-router)# network 50.50.50.0 0.0.0.255
R3(config-router)# no auto-summary
R3(config-router)#exit
Other verification commands…
R1/R3# show ip interface brief
R1/R3# show interface tunnel 0
R1/R3# show crypto session
