web analytics
  • RSS

  • Polls

    What Cisco Cert Are You Currently Studying?

    View Results

    Loading ... Loading ...
  • Search on CiscoBibles

  • Popular Posts

  • Recent Comments

  • Archives

  • « | Main | »

    VPN Virtual Tunnel Interfaces

    By admin | June 2, 2009

    While doing a recent deployment, I ran across this concept. It’s a slightly different way to configure VPNs on a Cisco router that (for me) is far less confusing and finicky. If you’ve ever configured VPNs using a PIX firewall or IOS router, you probably know of the pain associated with making sure your crypto map is correctly configured. There are SO MANY pieces of it, you’re almost assured that something is not going to match between one side of the connection and the other (especially that “interesting traffic” ACL). That’s where these IPSec Virtual Tunnel Interfaces come in. Check this out…

    Instead of configuring crypto maps between your routers, you create virtual interfaces. So the VPN has it’s own “point-to-point” style connection between sites. The best way to get this is to see a configuration example. I borrowed the syntax / graphic for this example from Richard Deal’s Complete Cisco VPN Configuration Guide by Cisco Press (awesome book, by the way).

    VTI.gif

    RouterA Configuration:

    RTRA(config)# crypto isakmp policy 10
    RTRA(config-isakmp)# encryption aes 128
    RTRA(config-isakmp)# hash sha
    RTRA(config-isakmp)# authentication pre-share
    RTRA(config-isakmp)# group 2
    RTRA(config-isakmp)# exit
    RTRA(config)# crypto isakmp key cisco123 address 193.1.1.1 255.255.255.255 no-xauth
    RTRA(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
    RTRA(cfg-crypto-trans)# exit
    RTRA(config)# crypto ipsec profile VTI
    RTRA(ipsec-profile)# set transform-set RTRtran
    RTRA(ipsec-profile)# exit
    RTRA(config)# interface tunnel 0
    RTRA(config-if)# ip address 192.168.3.1 255.255.255.0
    RTRA(config-if)# tunnel source 192.1.1.1
    RTRA(config-if)# tunnel destination 193.1.1.1
    RTRA(config-if)# tunnel mode ipsec ipv4
    RTRA(config-if)# tunnel protection ipsec VTI
    RTRA(config)# interface Ethernet0/0
    RTRA(config-if)# ip address 192.1.1.1 255.255.255.0
    RTRA(config-if)# exit
    RTRA(config)# interface Ethernet 1/0
    RTRA(config-if)# ip address 192.168.1.1 255.255.255.0
    RTRA(config-if)# exit
    RTRA(config)# ip route 192.168.2.0 255.255.255.0 tunnel0

    RouterB Configuration:

    RTRB(config)# crypto isakmp policy 10
    RTRB(config-isakmp)# encryption aes 128
    RTRB(config-isakmp)# hash sha
    RTRB(config-isakmp)# authentication pre-share
    RTRB(config-isakmp)# group 2
    RTRB(config-isakmp)# exit
    RTRB(config)# crypto isakmp key cisco123 address 192.1.1.1 255.255.255.255 no-xauth
    RTRB(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
    RTRB(cfg-crypto-trans)# exit
    RTRB(config)# crypto ipsec profile VTI
    RTRB(ipsec-profile)# set transform-set RTRtran
    RTRB(ipsec-profile)# exit
    RTRB(config)# interface tunnel 0
    RTRB(config-if)# ip address 192.168.3.2 255.255.255.0
    RTRB(config-if)# tunnel source 193.1.1.1
    RTRB(config-if)# tunnel destination 192.1.1.1
    RTRB(config-if)# tunnel mode ipsec ipv4
    RTRB(config-if)# tunnel protection ipsec VTI
    RTRB(config)# interface Ethernet0/0
    RTRB(config-if)# ip address 193.1.1.1 255.255.255.0
    RTRB(config-if)# exit
    RTRB(config)# interface Ethernet 1/0
    RTRB(config-if)# ip address 192.168.2.1 255.255.255.0
    RTRB(config-if)# exit
    RTRB(config)# ip route 192.168.1.0 255.255.255.0 tunnel0

    The configuration is pretty straightforward, especially if you’ve configured GRE tunnels before. The difference is you use the “tunnel mode ipsec ipv4” command to notify the router that this is an IPSec-based interface rather than GRE and the “tunnel protection ipsec ” command to choose the type of encryption (transform-set) for the interface.

    The best part of the whole thing is NO CRYPTO MAPS!!! 🙂 I love it – traffic is associated with a remote site using “ip route” static routes rather than mirrored ACLs. Awesome stuff!

             

    Topics: CCSP, CCSP Articles | No Comments »

    Comments

    You must be logged in to post a comment.