IPsec Virtual Tunnel Interfaces can be used to configure the following:
Easy VPN Server
Easy VPN Remote
Site-to-site VPNs between two IOS endpoints supporting IPsec Virtual Tunnel interface (including VPN-capable Integrated Services Routers, the SR520, the UC520, and the UC540)
CCA 1.9 and later leverage IPsec Virtual Tunnel Interfaces to configure Easy VPN.
Reasons why I choose IPsec Virtual Tunnel Interfaces to configure VPNs:
Requires fewer access control list entries on the WAN interface
Allows Easy VPN server and site-to-site VPN tunnels to co-exist on the same router or UC500 unit
Traffic is routed through site-to-site VPN tunnels by adding static routes of the appropriate subnets to the virtual tunnel interfaces
Works on UC520 units, UC540 units, SR520, and VPN-capable ISRs
Site-to-site VPNs with a Static Virtual Tunnel Interface (used for VPNs between offices):
Configure a keyring with the site-to-site VPN preshared key
Configure at least one ISAKMP policy
Configure a ISAKMP profile for the site-to-site VPN tunnel
You must set the correct keyring here
You must also have one or more match identity entries added here
Configure a IPsec profile for the site-to-site VPN tunnel
You must set the correct ISAKMP profile here
You must have one or more transform sets in the IPsec profile
All of the transform sets used here must be tunnel mode transform sets
Configure the tunnel interface for the site-to-site VPN
This will normally have ip unnumbered BVI1 or ip unnumbered Vlan1 set
The tunnel source must be set to the WAN interface, which is usually FastEthernet0/0 or Dialer0 on UC520 or UC540 units, and is usually FastEthernet4 or Dialer0 on a 851, 861, 871, 881 ISR or a SR520-FE.
The tunnel destination must be set to the IP address or DNS hostname of the other endpoint.
The tunnel mode must be set to ipsec ipv4.
The tunnel protection ipsec profile must be set to the correct IPsec profile
Add routes for the site-to-site VPN
Traffic that needs to be routed over the site-to-site VPN tunnel needs to be added using the ip route <subnet to be routed over VPN tunnel> <subnet mask> <tunnel interface name> command, with <subnet to be routed over VPN tunnel>, <subnet mask>, <tunnel interface name> substituted with the correct values.
You need to have ip route entries for each subnet that needs to be connected through the site-to-site VPN
The subnets that are routed over the site-to-site VPN need to be unique among sites
CCA 1.9 and later can configure Easy VPN Server with a Dynamic VTI. The procedure is described in the IPsec Virtual Tunnel Interface document and the CCA out-of-band configuration guidelines.
Configuring Easy VPN Remote with a Dynamic VTI (this is used for teleworker scenarios, office-to-office VPNs should be done with site-to-site VPNs):
Configure the Easy VPN Remote in the crypto ipsec client ezvpn section of your configuration:
Manual or automatic connection mode must be specified
Easy VPN Group Name and Key must be specified
Client or Network Extension Mode must be specified
Easy VPN server hostname or IP address must be specified
The Virtual Tunnel Interface used by the Easy VPN client must be specified here
The XAuth username and password (same as the VPN username and password in the Cisco VPN client or CCA) must be specified here or entered through a web browser
The XAuth mode must be specified here
If Network Extension Mode is used, the subnet cannot overlap with any of the subnets at any of the sites exposed through the Easy VPN connection
A loopback interface is created
Specifying whether an interface is an inside or outside interface for Easy VPN is specified for both the WAN interface and any LAN interfaces
A Virtual-Template interface is created
This is ip unnumbered to the loopback interface
The details of the above details are described in the IPsec Virtual Tunnel Interface document.
Configure Multicast Paging on the Cisco IP Phone 7800 Series or 8800 Series Multiplatform Phone
The Cisco IP Phone 7800 and 8800 Series Multiplatform Phones provide voice communication over an Internet Protocol (IP) network...
Add Call Park on a Cisco 7800 or 8800 Series Multiplatform Phone Key Expansion Module
Call park allows the user of the phone to put an incoming call on hold so that the call can be retrieved on another phone. A call is park...