Cisco Blog: VPN Virtual Tunnel Interfaces
VPN Virtual Tunnel Interfaces
While doing a recent deployment, I ran across this concept. It's a slightly different way to configure VPNs on a Cisco router that (for me) is far less confusing and finicky. If you've ever configured VPNs using a PIX firewall or IOS router, you probably know of the pain associated with making sure your crypto map is correctly configured. There are SO MANY pieces of it, you're almost assured that something is not going to match between one side of the connection and the other (especially that "interesting traffic" ACL). That's where these IPSec Virtual Tunnel Interfaces come in. Check this out...
Instead of configuring crypto maps between your routers, you create virtual interfaces. So the VPN has it's own "point-to-point" style connection between sites. The best way to get this is to see a configuration example. I borrowed the syntax / graphic for this example from
Richard Deal's Complete Cisco VPN Configuration Guide by Cisco Press (awesome book, by the way).
RouterA Configuration:
RTRA(config)# crypto isakmp policy 10
RTRA(config-isakmp)# encryption aes 128
RTRA(config-isakmp)# hash sha
RTRA(config-isakmp)# authentication pre-share
RTRA(config-isakmp)# group 2
RTRA(config-isakmp)# exit
RTRA(config)# crypto isakmp key cisco123 address 193.1.1.1 255.255.255.255 no-xauth
RTRA(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
RTRA(cfg-crypto-trans)# exit
RTRA(config)# crypto ipsec profile VTI
RTRA(ipsec-profile)# set transform-set RTRtran
RTRA(ipsec-profile)# exit
RTRA(config)# interface tunnel 0
RTRA(config-if)# ip address 192.168.3.1 255.255.255.0
RTRA(config-if)# tunnel source 192.1.1.1
RTRA(config-if)# tunnel destination 193.1.1.1
RTRA(config-if)# tunnel mode ipsec ipv4
RTRA(config-if)# tunnel protection ipsec VTI
RTRA(config)# interface Ethernet0/0
RTRA(config-if)# ip address 192.1.1.1 255.255.255.0
RTRA(config-if)# exit
RTRA(config)# interface Ethernet 1/0
RTRA(config-if)# ip address 192.168.1.1 255.255.255.0
RTRA(config-if)# exit
RTRA(config)# ip route 192.168.2.0 255.255.255.0 tunnel0
RouterB Configuration:
RTRB(config)# crypto isakmp policy 10
RTRB(config-isakmp)# encryption aes 128
RTRB(config-isakmp)# hash sha
RTRB(config-isakmp)# authentication pre-share
RTRB(config-isakmp)# group 2
RTRB(config-isakmp)# exit
RTRB(config)# crypto isakmp key cisco123 address 192.1.1.1 255.255.255.255 no-xauth
RTRB(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
RTRB(cfg-crypto-trans)# exit
RTRB(config)# crypto ipsec profile VTI
RTRB(ipsec-profile)# set transform-set RTRtran
RTRB(ipsec-profile)# exit
RTRB(config)# interface tunnel 0
RTRB(config-if)# ip address 192.168.3.2 255.255.255.0
RTRB(config-if)# tunnel source 193.1.1.1
RTRB(config-if)# tunnel destination 192.1.1.1
RTRB(config-if)# tunnel mode ipsec ipv4
RTRB(config-if)# tunnel protection ipsec VTI
RTRB(config)# interface Ethernet0/0
RTRB(config-if)# ip address 193.1.1.1 255.255.255.0
RTRB(config-if)# exit
RTRB(config)# interface Ethernet 1/0
RTRB(config-if)# ip address 192.168.2.1 255.255.255.0
RTRB(config-if)# exit
RTRB(config)# ip route 192.168.1.0 255.255.255.0 tunnel0
The configuration is pretty straightforward, especially if you've configured GRE tunnels before. The difference is you use the "tunnel mode ipsec ipv4" command to notify the router that this is an IPSec-based interface rather than GRE and the "tunnel protection ipsec " command to choose the type of encryption (transform-set) for the interface.
The best part of the whole thing is NO CRYPTO MAPS!!! :) I love it - traffic is associated with a remote site using "ip route" static routes rather than mirrored ACLs. Awesome stuff!
