IPSEC VTI

Cisco, Telecom

IPSEC VTI stands for IPSEC Virtual Tunnel Interface.

Besides traditionnal IPSEC configuration with cyrpto map, VTI allows to use an interface. It is useful to apply some policies as we can do as other : service-policy, …

For this example, I will use the previous topology with four routers (R1, R2, R3, R4) : see the blog post below for a diagram.

I will implement a IPSEC VTI tunnel between R2 and R4.

VTI is really simple to implement :

 

R4#  show run int tun 11
Building configuration...

Current configuration : 179 bytes
!
interface Tunnel11
 ip address 11.1.1.4 255.255.255.0
 tunnel source Loopback0
 tunnel mode ipsec ipv4
 tunnel destination 2.2.2.2
 tunnel protection ipsec profile PROFILE
end

R4#show run | sec crypto
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0        
crypto ipsec transform-set SET esp-3des esp-md5-hmac 
 mode tunnel
crypto ipsec profile PROFILE
 set transform-set SET 
R4#

And :

R2#show run | sec crypto
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0        
crypto ipsec transform-set SET esp-3des esp-md5-hmac 
 mode tunnel
crypto ipsec profile PROFILE
 set transform-set SET 
R2#show run int tun 11
Building configuration...

Current configuration : 179 bytes
!
interface Tunnel11
 ip address 11.1.1.2 255.255.255.0
 tunnel source Loopback0
 tunnel mode ipsec ipv4
 tunnel destination 4.4.4.4
 tunnel protection ipsec profile PROFILE
end

R2#

When the two tunnels are implemented the two tunnels states to up/up. Previous state is up/down.

We could do this kind of things and others :

 

R4(config)#int tun 11
R4(config-if)#service-policy output pm

R4#ping 11.1.1.2 rep 200
Type escape sequence to abort.
Sending 200, 100-byte ICMP Echos to 11.1.1.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (200/200), round-trip min/avg/max = 3/7/25 ms
R4#show policy-map interface tunnel 11
 Tunnel11 

  Service-policy output: pm

    Class-map: class-default (match-any)  
      200 packets, 20000 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any 
R4#