This page was exported from Free Cisco Training & Resources - Certification Exam Preparation [ https://www.ciscobibles.com ] Export date:Sun May 11 0:33:21 2025 / +0000 GMT ___________________________________________________ Title: VPN Virtual Tunnel Interfaces --------------------------------------------------- While doing a recent deployment, I ran across this concept. It's a slightly different way to configure VPNs on a Cisco router that (for me) is far less confusing and finicky. If you've ever configured VPNs using a PIX firewall or IOS router, you probably know of the pain associated with making sure your crypto map is correctly configured. There are SO MANY pieces of it, you're almost assured that something is not going to match between one side of the connection and the other (especially that "interesting traffic" ACL). That's where these IPSec Virtual Tunnel Interfaces come in. Check this out... Instead of configuring crypto maps between your routers, you create virtual interfaces. So the VPN has it's own "point-to-point" style connection between sites. The best way to get this is to see a configuration example. I borrowed the syntax / graphic for this example from Richard Deal's Complete Cisco VPN Configuration Guide by Cisco Press (awesome book, by the way). RouterA Configuration: RTRA(config)# crypto isakmp policy 10 RTRA(config-isakmp)# encryption aes 128 RTRA(config-isakmp)# hash sha RTRA(config-isakmp)# authentication pre-share RTRA(config-isakmp)# group 2 RTRA(config-isakmp)# exit RTRA(config)# crypto isakmp key cisco123 address 193.1.1.1 255.255.255.255 no-xauth RTRA(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac RTRA(cfg-crypto-trans)# exit RTRA(config)# crypto ipsec profile VTI RTRA(ipsec-profile)# set transform-set RTRtran RTRA(ipsec-profile)# exit RTRA(config)# interface tunnel 0 RTRA(config-if)# ip address 192.168.3.1 255.255.255.0 RTRA(config-if)# tunnel source 192.1.1.1 RTRA(config-if)# tunnel destination 193.1.1.1 RTRA(config-if)# tunnel mode ipsec ipv4 RTRA(config-if)# tunnel protection ipsec VTI RTRA(config)# interface Ethernet0/0 RTRA(config-if)# ip address 192.1.1.1 255.255.255.0 RTRA(config-if)# exit RTRA(config)# interface Ethernet 1/0 RTRA(config-if)# ip address 192.168.1.1 255.255.255.0 RTRA(config-if)# exit RTRA(config)# ip route 192.168.2.0 255.255.255.0 tunnel0 RouterB Configuration: RTRB(config)# crypto isakmp policy 10 RTRB(config-isakmp)# encryption aes 128 RTRB(config-isakmp)# hash sha RTRB(config-isakmp)# authentication pre-share RTRB(config-isakmp)# group 2 RTRB(config-isakmp)# exit RTRB(config)# crypto isakmp key cisco123 address 192.1.1.1 255.255.255.255 no-xauth RTRB(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac RTRB(cfg-crypto-trans)# exit RTRB(config)# crypto ipsec profile VTI RTRB(ipsec-profile)# set transform-set RTRtran RTRB(ipsec-profile)# exit RTRB(config)# interface tunnel 0 RTRB(config-if)# ip address 192.168.3.2 255.255.255.0 RTRB(config-if)# tunnel source 193.1.1.1 RTRB(config-if)# tunnel destination 192.1.1.1 RTRB(config-if)# tunnel mode ipsec ipv4 RTRB(config-if)# tunnel protection ipsec VTI RTRB(config)# interface Ethernet0/0 RTRB(config-if)# ip address 193.1.1.1 255.255.255.0 RTRB(config-if)# exit RTRB(config)# interface Ethernet 1/0 RTRB(config-if)# ip address 192.168.2.1 255.255.255.0 RTRB(config-if)# exit RTRB(config)# ip route 192.168.1.0 255.255.255.0 tunnel0 The configuration is pretty straightforward, especially if you've configured GRE tunnels before. The difference is you use the "tunnel mode ipsec ipv4" command to notify the router that this is an IPSec-based interface rather than GRE and the "tunnel protection ipsec " command to choose the type of encryption (transform-set) for the interface. The best part of the whole thing is NO CRYPTO MAPS!!! :) I love it - traffic is associated with a remote site using "ip route" static routes rather than mirrored ACLs. Awesome stuff! --------------------------------------------------- Images: http://www.ciscoblog.com/docstore/VTI.gif --------------------------------------------------- --------------------------------------------------- Post date: 2009-06-02 16:31:26 Post date GMT: 2009-06-02 08:31:26 Post modified date: 2010-07-23 11:53:35 Post modified date GMT: 2010-07-23 03:53:35 ____________________________________________________________________________________________ Export of Post and Page as text file has been powered by [ Universal Post Manager ] plugin from www.gconverters.com