Cisco IPSec VPN – IOS site-to-site Virtual Tunnel Interface VTI

Cisco IPSec VPN tunnels on Cisco IOS routers secures endpoints by forming a tunnel and encrypting the traffic within. Setting up these site to site VPNs can be cumbersome and often involves setting up complicated matching crypto maps on both end devices. Changing one end’s encryption domain requires a modifying ACLs on both ends of the tunnel.

GRE tunnels on the other hand doesn’t require that as all you need to do is point the routes to the GRE tunnel endpoints on both ends and traffic will magically route through. However the downside is GRE tunnel is not as secure and does not have encryption.

What if I tell you that you can combine the best of both worlds? Introducing Cisco VTI – Virtual tunnel interface with IPSEC encryption! Essentially much like the GRE tunnel, you can setup tunnel interfaces on your routers and have it encrypt with your favorite FIPS compliant encryption algorithm! Here’s how you do it:

Step1. Create a PHASE 1 isakmp policy on both ends and put in the remote router IP address along with the pre-shared secret key.

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2

crypto isakmp key secretpassword address no-xauth

Note: Disable isakmp phase one extended authentication (x-auth) when the same interface uses xauth for another VPN, ie (VPN clients which asks for username and passwords for secondary authentication)

Step2. Create a PHASE 2 ipsec profile and define the encryption parameters

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec profile P1
 set transform-set ESP-3DES-SHA

Step3. Create a VTI on both ends and select the ipsec profile defined in the previous step

interface Tunnel0
 ip address
 tunnel source fastethernet 0/0
 tunnel mode ipsec ipv4
 tunnel destination
 tunnel protection ipsec profile P1

Step4. Simply add a route for the destination you like to reach and a corresponding route other end to the tunnel interface and the router will automatically encrypt them!

ip route tunnel 0

If you wish to create multiple tunnels, simply create another tunnel interface with a different ip subnet range and define a new isakmp key with a different address. If you want to create multiple tunnels with the same key simple use as the address and it would accept phase1 negotiations from any source address.

Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT.Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV