questions on VTIs

Unanswered Question
Nov 25th, 2008
User Badges:


if i want to build a site-to-site VPN

as far as i understand, the "tunnel source" for an virtual tunnel interface is my WAN-interface and the "tunnel destination" is the WAN-interface of my other location. Is this right ?

I saw some configurations on the net where the "tunnel sorce" was loopback 0.

Why would anyone use such a config ?

Is the use of "crypto map" deprecated now ?

Would it be better/smarter to use VTIs now, because they are newer/"more modern" ?

I would be glad if someone could enlighten me on that.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Istvan_Rabai Tue, 11/25/2008 - 19:40
User Badges:
  • Gold, 750 points or more

Hello Joerg,

With VTI's you still need to configure the isakmp policies, and instead of crypto-maps, you still need to configure the ipsec profiles and apply it to the VTI.

With traditional IPSec you aren't allowed to transmit multicast traffic over the IPSec VPN (routing protocol or any other user multicast traffic).

The solution was to create a GRE over IPSec configuration and routing protocols were able to establish neighbor relationship on the tunnel interfaces.

The drawback of this is a little more complex configuration and the tunnel header overhead added by the GRE tunnel, which increased the resulting packet size that could sometimes create mtu problems along the path of the traffic.

VTI still has the encryption overhead, but it is natively able to trasmit multicast packets, so you don't have to add an additional header, which also simplifies configuration.

Loopbacks are used as a source interface because loopback interfaces never go down.

So if you lose a connection to a router but you have an alternative route to it, then the IPSec tunnel can stay up.




This Discussion