Friday, February 12, 2010

VPN using Virtual Tunnel Interface (VTI) with IP Security (IPSec)

I'm going to speak about two different ways to configure IPsec VPN's. The first way is to configure VPN using traditional crypto map's and the second one is to implement Virtual Tunnel Interfaces(VTI). VTI, actually, is a better and newer way to design VPN. The question is - is it compatible with non-Cisco devices?
The are several important advantages of VTI:
  • Ability to send multicast across VPN;
  • Dynamic routing;
  • Ability to apply QoS to traffic going through the tunnel;
  • Easier to configure of ZFW, because Tunnel interface can be a member of any security zone. Thus, providing more easier and granular configuration of traffic inspections;
Configuration examples.
First one is traditional VPN:
=================================================
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
 lifetime 1800
crypto isakmp key 12345 address 55.104.78.135
!
crypto ipsec transform-set branch_transform esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to55.104.78.135
 set peer 55.104.78.135
 set transform-set branch_transform
 match address 100
!
interface FastEthernet0/0
 ip address 95.104.78.135 255.255.255.0
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
=================================================
The second one is using VTI:
=================================================
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set S2S_TS esp-aes 256 esp-sha-hmac
!
crypto ipsec profile FOO_IPSEC_PROFILE
 set transform-set S2S_TS
!
!
interface Loopback1
 ip address 192.168.30.1 255.255.255.0
!
interface Tunnel1
 ip address 192.168.20.2 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 95.104.78.135
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile FOO_IPSEC_PROFILE
!
interface FastEthernet0/0
 ip address 95.104.78.150 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.137.70 255.255.255.0
 duplex auto
 speed auto
=================================================

As with all other tunnels, it's important to keep an accurate routing table, so the interesting traffic will be forwarded to the tunnel. 

Also, QoS can be applied to the tunnel.
==================
policy-map FOO
class class-default
shape average 128000
 !
interface Tunnel0
service-policy output FOO
==================
Commands for verification:
  • show interfaces tunnel 1
  • show crypto session detail 
  • show policy-map interface tunnel 1 (displaying QoS policy, associated with tunnel)
  • show ip route 
Posted by at
Labels: ,

2 comments:

  1. AnonymousDecember 8, 2010 at 5:13 AM

    Hi,

    Any idea if we can create multiple tunnels to different destination using VTI method?

    Thank you

    ReplyDelete
  2. IgroDecember 11, 2010 at 9:30 PM

    Hello.
    Yes, we definitely can create multiple tunnels for using with different VPN's. Just make sure that your routing table is accurate and forward packets to the right tunnel.

    ReplyDelete

Subscribe to: Post Comments (Atom)