Cisco IPSec VPN – IOS site-to-site Virtual Tunnel Interface VTI


Cisco IPSec VPN tunnels on Cisco IOS routers secures endpoints by forming a tunnel and encrypting the traffic within. Setting up these site to site VPNs can be cumbersome and often involves setting up complicated matching crypto maps on both end devices. Changing one end’s encryption domain requires a modifying ACLs on both ends of the tunnel.

GRE tunnels on the other hand doesn’t require that as all you need to do is point the routes to the GRE tunnel endpoints on both ends and traffic will magically route through. However the downside is GRE tunnel is not as secure and does not have encryption.

What if I tell you that you can combine the best of both worlds? Introducing Cisco VTI – Virtual tunnel interface with IPSEC encryption! Essentially much like the GRE tunnel, you can setup tunnel interfaces on your routers and have it encrypt with your favorite FIPS compliant encryption algorithm! Here’s how you do it:


Step1. Create a PHASE 1 isakmp policy on both ends and put in the remote router IP address along with the pre-shared secret key.

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2

crypto isakmp key secretpassword address 172.16.1.2 no-xauth

Note: Disable isakmp phase one extended authentication (x-auth) when the same interface uses xauth for another VPN, ie (VPN clients which asks for username and passwords for secondary authentication)


Step2. Create a PHASE 2 ipsec profile and define the encryption parameters

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec profile P1
 set transform-set ESP-3DES-SHA

Step3. Create a VTI on both ends and select the ipsec profile defined in the previous step

interface Tunnel0
 ip address 10.0.0.1 255.255.255.252
 tunnel source fastethernet 0/0
 tunnel mode ipsec ipv4
 tunnel destination 172.16.1.2
 tunnel protection ipsec profile P1

Step4. Simply add a route for the destination you like to reach and a corresponding route other end to the tunnel interface and the router will automatically encrypt them!

ip route 192.168.2.0 255.255.255.0 tunnel 0

Tip:
If you wish to create multiple tunnels, simply create another tunnel interface with a different ip subnet range and define a new isakmp key with a different address. If you want to create multiple tunnels with the same key simple use 0.0.0.0 0.0.0.0 as the address and it would accept phase1 negotiations from any source address.

Related Posts with Thumbnails
  • Germano

    Thanks for the information Alfred.
    Any idea on how to use a linux router as the endpoint for a VTI?

    • dead elk

      > Any idea on how to use a linux router as the endpoint for a VTI?

      tap-interface

  • Richard

    Hi, great post thanks for the info.
    I have set up a tunnel on my router, but seem to be having trouble with the last step relating to the routing table. When I add “ip route 192.168.100.0 255.255.255.0 Null0″ the route gets added no problem at all. However, when I try to add “ip route 192.168.100.0 255.255.255.0 Tunnel 0″ then no entry gets added to the table.

    The Tunnel 0 interace is currently in shutdown state, but I have taken it out of shutdown and also tried adding the route as “permanent” and still the entry does not show in the routing table.

    I’m obvously missing something here, but can’t see what it is!

  • Pingback: Cisco Easy VPN Server en "CCIE en castellano"()