This page was exported from Free Cisco Training & Resources - Certification Exam Preparation [ https://www.ciscobibles.com ]
Export date: Thu Mar 28 18:24:22 2024 / +0000 GMT

VPN Virtual Tunnel Interfaces



While doing a recent deployment, I ran across this concept. It's a slightly different way to configure VPNs on a Cisco router that (for me) is far less confusing and finicky. If you've ever configured VPNs using a PIX firewall or IOS router, you probably know of the pain associated with making sure your crypto map is correctly configured. There are SO MANY pieces of it, you're almost assured that something is not going to match between one side of the connection and the other (especially that "interesting traffic" ACL). That's where these IPSec Virtual Tunnel Interfaces come in. Check this out...

Instead of configuring crypto maps between your routers, you create virtual interfaces. So the VPN has it's own "point-to-point" style connection between sites. The best way to get this is to see a configuration example. I borrowed the syntax / graphic for this example from Richard Deal's Complete Cisco VPN Configuration Guide by Cisco Press (awesome book, by the way).

VTI.gif

RouterA Configuration:

RTRA(config)# crypto isakmp policy 10

RTRA(config-isakmp)# encryption aes 128

RTRA(config-isakmp)# hash sha

RTRA(config-isakmp)# authentication pre-share

RTRA(config-isakmp)# group 2

RTRA(config-isakmp)# exit

RTRA(config)# crypto isakmp key cisco123 address 193.1.1.1 255.255.255.255 no-xauth

RTRA(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac

RTRA(cfg-crypto-trans)# exit

RTRA(config)# crypto ipsec profile VTI

RTRA(ipsec-profile)# set transform-set RTRtran

RTRA(ipsec-profile)# exit

RTRA(config)# interface tunnel 0

RTRA(config-if)# ip address 192.168.3.1 255.255.255.0

RTRA(config-if)# tunnel source 192.1.1.1

RTRA(config-if)# tunnel destination 193.1.1.1

RTRA(config-if)# tunnel mode ipsec ipv4

RTRA(config-if)# tunnel protection ipsec VTI

RTRA(config)# interface Ethernet0/0

RTRA(config-if)# ip address 192.1.1.1 255.255.255.0

RTRA(config-if)# exit

RTRA(config)# interface Ethernet 1/0

RTRA(config-if)# ip address 192.168.1.1 255.255.255.0

RTRA(config-if)# exit

RTRA(config)# ip route 192.168.2.0 255.255.255.0 tunnel0

RouterB Configuration:

RTRB(config)# crypto isakmp policy 10

RTRB(config-isakmp)# encryption aes 128

RTRB(config-isakmp)# hash sha

RTRB(config-isakmp)# authentication pre-share

RTRB(config-isakmp)# group 2

RTRB(config-isakmp)# exit

RTRB(config)# crypto isakmp key cisco123 address 192.1.1.1 255.255.255.255 no-xauth

RTRB(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac

RTRB(cfg-crypto-trans)# exit

RTRB(config)# crypto ipsec profile VTI

RTRB(ipsec-profile)# set transform-set RTRtran

RTRB(ipsec-profile)# exit

RTRB(config)# interface tunnel 0

RTRB(config-if)# ip address 192.168.3.2 255.255.255.0

RTRB(config-if)# tunnel source 193.1.1.1

RTRB(config-if)# tunnel destination 192.1.1.1

RTRB(config-if)# tunnel mode ipsec ipv4

RTRB(config-if)# tunnel protection ipsec VTI

RTRB(config)# interface Ethernet0/0

RTRB(config-if)# ip address 193.1.1.1 255.255.255.0

RTRB(config-if)# exit

RTRB(config)# interface Ethernet 1/0

RTRB(config-if)# ip address 192.168.2.1 255.255.255.0

RTRB(config-if)# exit

RTRB(config)# ip route 192.168.1.0 255.255.255.0 tunnel0

The configuration is pretty straightforward, especially if you've configured GRE tunnels before. The difference is you use the "tunnel mode ipsec ipv4" command to notify the router that this is an IPSec-based interface rather than GRE and the "tunnel protection ipsec " command to choose the type of encryption (transform-set) for the interface.

The best part of the whole thing is NO CRYPTO MAPS!!! :) I love it - traffic is associated with a remote site using "ip route" static routes rather than mirrored ACLs. Awesome stuff!

 

 


Post date: 2009-06-02 16:31:26
Post date GMT: 2009-06-02 08:31:26
Post modified date: 2010-07-23 11:53:35
Post modified date GMT: 2010-07-23 03:53:35

Powered by [ Universal Post Manager ] plugin. MS Word saving format developed by gVectors Team www.gVectors.com