Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IPsec Virtual Tunnel Interfaces

Here is information about IPsec Virtual Tunnel Interfaces:

IPsec Virtual Tunnel Interfaces can be used to configure the following:

  • Easy VPN Server
  • Easy VPN Remote
  • Site-to-site VPNs between two IOS endpoints supporting IPsec Virtual Tunnel interface (including VPN-capable Integrated Services Routers, the SR520, the UC520, and the UC540)

CCA 1.9 and later leverage IPsec Virtual Tunnel Interfaces to configure Easy VPN.

Reasons why I choose IPsec Virtual Tunnel Interfaces to configure VPNs:

  • Requires fewer access control list entries on the WAN interface
  • Allows Easy VPN server and site-to-site VPN tunnels to co-exist on the same router or UC500 unit
  • Traffic is routed through site-to-site VPN tunnels by adding static routes of the appropriate subnets to the virtual tunnel interfaces
  • Works on UC520 units, UC540 units, SR520, and VPN-capable ISRs

Site-to-site VPNs with a Static Virtual Tunnel Interface (used for VPNs between offices):

  • Configure a keyring with the site-to-site VPN preshared key
  • Configure at least one ISAKMP policy
  • Configure a ISAKMP profile for the site-to-site VPN tunnel
    • You must set the correct keyring here
    • You must also have one or more match identity entries added here
  • Configure a IPsec profile for the site-to-site VPN tunnel
    • You must set the correct ISAKMP profile here
    • You must have one or more transform sets in the IPsec profile
    • All of the transform sets used here must be tunnel mode transform sets
  • Configure the tunnel interface for the site-to-site VPN
    • This will normally have ip unnumbered BVI1 or ip unnumbered Vlan1 set
    • The tunnel source must be set to the WAN interface, which is usually FastEthernet0/0 or Dialer0 on UC520 or UC540 units, and is usually FastEthernet4 or Dialer0 on a 851, 861, 871, 881 ISR or a SR520-FE.
    • The tunnel destination must be set to the IP address or DNS hostname of the other endpoint.
    • The tunnel mode must be set to ipsec ipv4.
    • The tunnel protection ipsec profile must be set to the correct IPsec profile
  • Add routes for the site-to-site VPN
    • Traffic that needs to be routed over the site-to-site VPN tunnel needs to be added using the ip route <subnet to be routed over VPN tunnel> <subnet mask> <tunnel interface name> command, with <subnet to be routed over VPN tunnel>, <subnet mask>, <tunnel interface name> substituted with the correct values.
    • You need to have ip route entries for each subnet that needs to be connected through the site-to-site VPN
    • The subnets that are routed over the site-to-site VPN need to be unique among sites

CCA 1.9 and later can configure Easy VPN Server with a Dynamic VTI. The procedure is described in the IPsec Virtual Tunnel Interface document and the CCA out-of-band configuration guidelines.

Configuring Easy VPN Remote with a Dynamic VTI (this is used for teleworker scenarios, office-to-office VPNs should be done with site-to-site VPNs):

  • Configure the Easy VPN Remote in the crypto ipsec client ezvpn section of your configuration:
    • Manual or automatic connection mode must be specified
    • Easy VPN Group Name and Key must be specified
    • Client or Network Extension Mode must be specified
    • Easy VPN server hostname or IP address must be specified
    • The Virtual Tunnel Interface used by the Easy VPN client must be specified here
    • The XAuth username and password (same as the VPN username and password in the Cisco VPN client or CCA) must be specified here or entered through a web browser
    • The XAuth mode must be specified here
    • If Network Extension Mode is used, the subnet cannot overlap with any of the subnets at any of the sites exposed through the Easy VPN connection
  • A loopback interface is created
  • Specifying whether an interface is an inside or outside interface for Easy VPN is specified for both the WAN interface and any LAN interfaces
  • A Virtual-Template interface is created
    • This is ip unnumbered to the loopback interface

The details of the above details are described in the IPsec Virtual Tunnel Interface document.

CreatePlease to create content