cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4303
Views
6
Helpful
13
Replies

Tunnel Interface instead of crypto map

netadmincsm
Level 1
Level 1

Hi All

Can someone tells me what is the difference between creating site-to-site VPN tunnel with crypto-map and creating site-to-site VPN tunnel with tunnel interface ?

Thank you very much

13 Replies 13

slmansfield
Level 4
Level 4

The use of a Virtual Tunnel Interface provides greater ease of deployment and more flexibility at layer 3 with a routable interface.  Here is a document explaining the virtues of VTIs.  HTH

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.pdf

Thank you very much.  For sure it helps.

If I want to use static VTI for a IPSec VPN tunnel between 2 router, but 1 of my router use public static address and the other not (DSL connections)

I wont be able to pu the tunnel destination command.  How should I configure it?

Thanks again

Here's an example of using Easy VPN with IPSEC DVTIs.  The remote router gets its outside address via DHCP.  HTH

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.pdf

If I do not want to use Easy VPN.  Can I do it with static VTI.  Or should I switch to Crypto-map ?

Thank you very much for your help.

Here are some other examples of using static and dynamic VTI's.

http://www.cisco.com/en/US/docs/ios/ios_xe/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl_xe.pdf

You could also use DMVPN, which in this example shows a spoke site using DHCP to assign its outside address.

http://www.cisco.com/application/pdf/paws/41940/dmvpn.pdf

HTH

We already have a DMVPN configuration in our 300 spokes.  It's a Single cloud dual hub

DMVPN network.  We need to create a separate VPN network infrastructure with those 300

spokes but linked trough 2 remote HQ site.  Those 2 remote site have public static IP, but our spokes use dynamic adressing.

I need something simple.  I check out your examples, but only Easy VPN talks about unknown remote IPs

Here's my concern.

I'll probably use crypto map instead VTI.  What do you think ?

What do you see is the advantage of crypto maps over Easy VPN?

If your spoke IP addresses are assigned dynamically, you could use dynamic crypto maps on your hub site, as in this example, but with this legacy setup you lose flexibility.  Avoiding crypto maps reduces problems with the management of a large number of VPN tunnels to your hub site.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

I know I'll lose flexibility, but our old network works like this, we troubleshoot it for a couple of years.  We know what kind of issue it will probably have.  But not with Easy VPN.  I never used it.

But you convinced me to take a look at Easy VPN.

which solution has the lower CPU and Memory consumable ? (Easy VPN or Dynamic Crypto map)

Thanks again

I understand your reluctance to go to an unfamiliar technology, but I think it is worthwhile to consider Easy VPN unless you are connecting to remote sites that do not have Cisco devices.

Assuming all of your sites use Cisco VPN devices, one problem you may have encountered is that clearing the IPSEC SA's for a specific VPN tunnel does not work.  The only remedy is to remove and replace the crypto map, which impacts all of your other sites.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10

With regards to your question about performance, Easy VPN is a new technology, aimed at improving performance for your applications.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/eprod_qas0900aecd805358e0.html

"We already have a DMVPN configuration in our 300 spokes.  It's a Single cloud dual hub

DMVPN network.  We need to create a separate VPN network infrastructure with those 300

spokes but linked trough 2 remote HQ site.  Those 2 remote site have public static IP, but our spokes use dynamic adressing."

I didnt quite understand why you need seperate VPN infrastructure ? Personally i dont like using routers as endpoints in easy vpn but thats just me :-). If you can explain why you want to divert from your DMVPN setup or why cant you have dedicated P2P tunnels for 2 sites running NHRP thus solving your problem of dynamic IPs !!

The main reason is for a specific purpose we can't route this traffic by our hub

infrastructure at all.  We use a phase 2, spoke-to-spoke DMVPN setup.

So we know the first packet will go through the path "spoke-hub-spoke" while the spoke-to-spoke dynamic tunnel commes up.  We also don't want those router to be hub (answer to NHRP request)

If you have a DMVPN setup that routes the packets directly to those router without considering them as hubs I'll be happy.

Thanks a lot

Have you looked at the phase 3 enhancements to DMVPN?  Spoke-to-spoke traffic does not go through the hub.  HTH

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: