VTI-Based Site-to-Site IPsec VPN

VTI (Virtual Tunnel Interface)
Virtual tunnel interface is a full-featured routable interface, many of the common interface options that can be applied to physical interfaces can now be applied to the IPsec virtual tunnel interface. Using VTI in IPsec VPN makes the static mapping between the IPsec crypto map and physical interface no longer an requirement. Instead, we can associate the IPsec tunnel directly with the VTI.

VTI Benefits

  • Simplify configuration: When using the VTI IPsec configuration, fewer configuration lines are required because after the virtual tunnel interface is created and an IPsec profile is applied to it, the crypto maps are automatically generated for each tunnel. Thus configuring IPsec peering is much simpler when using virtual tunnel interfaces as compared to configuring IPsec peering with crypto maps or GRE/IPsec tunnels.
  • Better interoperation: An IPsec VTI (VTI-Based VPN)is a feature in Cisco IOS Software that is used to support IPsec VPNs. VTIs support native IPsec tunneling, including interoperability with standards-based IPsec implementations of other vendors.
  • Multicast support and better scalability: IPsec VTIs support multicast traffic such as voice and video,  IPsec VTIs require fewer SAs to support all types of traffic.
  • Dynamic Routing support: Like GRE/IPsec, VTIs support all types of IP routing protocols, which provides scalability and redundancy.

VTI limitations:

  • No multi-protocol support: The IPsec VTI is limited to only IP unicast and multicast traffic, while the GRE/IPsec tunnels support a much wider range of protocols and applications.
  • Stateful Failover not supported: Cisco IOS Software IPsec Stateful failover is not supported on VTIs, although other redundancy features, such as dynamic routing protocols, can be used as alternative failover methods.

General Deployment Guidelines

  • Static or dynamic VTI tunnels: Dynamic VTI tunnels should be for the hub in large hub-and-spoke implementations. Otherwise, static VTI tunnels are recommended.
  • Static or dynamic routing protocol over the VTI tunnels: Dynamic routing protocols should be used in large networks or to provide redundancy with multiple VTI tunnels. Otherwise, static routing over VTI tunnels is recommended.
  • Use VTI-based site-to-site VPNs as the default IPsec technology for individual point-to-point VPN links and for hub-and-spoke VPNs.
  • Consider deploying Dynamic Multipoint VPN (DMVPN) or Group Encrypted Transport (GET) VPN for larger environments with partial or fully meshed VPN requirements.

Deploying Static Point-to-Point IPsec VTI Tunnels

(Optional) Configuring Basic IKE Peering and IKE (ISAKMP) Policies: They are used to determine IKE authentication, IKE hash algorithm, IKE encryption, IKE key exchange(DH group number), IKE session lifetime. Note that Cisco IOS Software does not require that the IKE peers have matching IKE lifetime settings for a successful exchange. The IKE SA will establish by adjusting its IKE session lifetime to the shorter of the two settings.

Cisco IOS Software Release 12.4(20)T introduced default pre-shared key based IKE policies. There are eight default policies with priorities ranging from 65507 to 65514, with 65507 having the highest priority and 65514 having the lowest priority. So explicitly selecting an IKE (ISAKMP) policy on each peer is not necessary.

Router(config)# crypto isakmp policy 10
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# hash sha
Router(config-isakmp)# encryption
aes 128
Router(config-isakmp)# group 14
Router(config-isakmp)# lifetime 3600

Generate and Configure Authentication Credentials on Each Peer: Bind the pre-shared key to the tunnel destination IP address of each peer using the crypto isakmp key command.
Router(config)# crypto isakmp key xxxxx address

Verify local IKE policy: Use the show crypto isakmp policy command to display the parameters configured for each local IKE policy. Unless you have added custom IKE policies with the crypto isakmp policy command or have removed the default IKE policies with the no crypto isakmp default policy command, the default IKE policies will be displayed as the output of the show isakmp policy command.

Verify local IKE session: Use the show crypto isakmp sa command to display the current IKE Security Associations (SA) on the local router. The QM_IDLE status indicates successful establishment of the IKE SA, meaning that the ISAKMP process is idle after having successfully negotiated and established SAs.

Troubleshooting IKE Policy Negotiation: use debug crypto isakmp debugging command.

NOTE: With the Cisco IOS Software crypto map based system, the IPsec subsystem will request SAs to be established upon seeing interesting traffic that matches the crypto map. In a VTI-based IPsec VPN, IPsec requests SA establishment as soon as the virtual tunnel interface (VTI)s are fully configured. Static VTI tunnels are permanently established immediately after being configured and can be used to provision a limited number of site-to-site IPsec tunnels in either hub-and-spoke or meshed IPsec VPNs.

(Optional) Configuring an IPsec Transform Set: Default Cisco IOS Software IPsec Transform Sets: Cisco IOS Software Release 12.4(20)T introduced default IPsec transform sets If custom transform sets are not configured, IKE negotiation results in the use of ESP encapsulation, 3DES encryption, and SHA-1 HMAC for authentication/integrity.

imageOr you can create a customized transform-set using below command:
Router(config)# crypto ipsec transform-set TranSet-Name esp-aes 128 esp-sha-hmac

Configuring an IPsec Protection Profile:
Router(config)# crypto ipsec profile MYIPsecProfile
Router(ipsec-profile)# set transform-set AES128-SHA
Router(ipsec-profile)# end

  • IPsec transform set used in the protection policy: The default IPsec transform set will be used if a custom transform set has not been configured.
  • IPsec SA (session key) lifetimes: The default lifetime of 1 hour will be used if not configured differently.
  • Perfect Forward Secrecy (PFS): PFS will not be negotiated by default.

Configure IPsec VTI Tunnels: Terminating the VTI tunnel on a loopback interface will provide redundancy as opposed to when a physical interface is used. The choice to use a loopback to route
around a failed physical interface can provide resiliency to your VPN tunnel.
Router(config)# interface Tunnel0
Router(config-if)# ip unnumbered GigabitEthernet0/0  //or loopback interface or assign an IP address
Router(config-if)# tunnel source GigabitEthernet0/0
Router(config-if)# tunnel destination
Router(config-if)# end

Applying the IPsec Protection Profile to Tunnel Interface:
Router(config)# interface Tunnel0
Router(config-if)# tunnel mode ipsec ipv4
Router(config-if)# tunnel protection ipsec profile MYIPsecProfile
Router(config-if)# end

Deploying Dynamic Point-to-Point IPsec VTI Tunnels
With DVTIs, there is no requirement to statically map IPsec sessions to physical interfaces. Instead,
when spoke peers attempt to create VPN connections with the hub peer, virtual access interfaces (Dynamic VTI) are dynamically created based on the pre-configured virtual template, namely Virtual Template Interface.Virtual template interfaces are sets of common settings that contain the information needed to build the virtual access interfaces.
Using dynamic VTIs requires minimal configuration on the hub router to support a VPN with a large numbers of VTIs. When a spoke peer initiates a tunnel, the tunnel and dynamic VTI are created. On the spoke peer, use a static VTI to establish a tunnel with the hub peer.

Configuring IKE peering with pre-shared key key ring: create authentication pre-shared keys for remote peers and then group them into a named key ring using the crypto key ring global configuration command.
Crypto keyring NEWKEYRING
   Pre-shared-key address key ier58ewrui90aEEQEd0erq9u2i3j5p
   Pre-shared-key address key

Configure IPsec Protection Profile and optionally associate it with an customized IPsec Transform Set.
Router(config)# crypto ipsec profile MYIPsecProfile
Router(ipsec-profile)# set transform-set AES128-SHA
Router(ipsec-profile)# end

Configuring a Virtual Template Interface: use the interface Virtual-template1 type tunnel global configuration command being used to create a virtual template interface. The IP address of a virtual template interface must be configured using the ip unnumbered interface command.
Interface Virtual-template1 type tunnel
   Ip unnumbered GigabitEthernet0/0
   Tunnel mode ipsec ipv4
   Tunnel protection ipsec profile MYIPsecProfile

Configuring an ISAKMP Profile and map Remote Peers who are going to use DVTI
ISAKMP profiles, containing a set of match statements used to define a peer or set of peers, are created to identify the remote peers for whom the Dynamic VTI will be created based on the Virtual Template interfaces.