Cisco IPSec VPN tunnels on Cisco IOS routers secures endpoints by forming a tunnel and encrypting the traffic within. Setting up these site to site VPNs can be cumbersome and often involves setting up complicated matching crypto maps on both end devices. Changing one end’s encryption domain requires a modifying ACLs on both ends of the tunnel.
GRE tunnels on the other hand doesn’t require that as all you need to do is point the routes to the GRE tunnel endpoints on both ends and traffic will magically route through. However the downside is GRE tunnel is not as secure and does not have encryption.
What if I tell you that you can combine the best of both worlds? Introducing Cisco VTI – Virtual tunnel interface with IPSEC encryption! Essentially much like the GRE tunnel, you can setup tunnel interfaces on your routers and have it encrypt with your favorite FIPS compliant encryption algorithm! Here’s how you do it:
Step1. Create a PHASE 1 isakmp policy on both ends and put in the remote router IP address along with the pre-shared secret key.
crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key secretpassword address 172.16.1.2 no-xauth
Note: Disable isakmp phase one extended authentication (x-auth) when the same interface uses xauth for another VPN, ie (VPN clients which asks for username and passwords for secondary authentication)
Step2. Create a PHASE 2 ipsec profile and define the encryption parameters
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec profile P1 set transform-set ESP-3DES-SHA
Step3. Create a VTI on both ends and select the ipsec profile defined in the previous step
interface Tunnel0 ip address 10.0.0.1 255.255.255.252 tunnel source fastethernet 0/0 tunnel mode ipsec ipv4 tunnel destination 172.16.1.2 tunnel protection ipsec profile P1
Step4. Simply add a route for the destination you like to reach and a corresponding route other end to the tunnel interface and the router will automatically encrypt them!
ip route 192.168.2.0 255.255.255.0 tunnel 0
If you wish to create multiple tunnels, simply create another tunnel interface with a different ip subnet range and define a new isakmp key with a different address. If you want to create multiple tunnels with the same key simple use 0.0.0.0 0.0.0.0 as the address and it would accept phase1 negotiations from any source address.