Select Page

IPsec VPN With DVTI (Cisco EEzVPN)

by | 8-May-2021 | Cisco, Security, VPN

IPsec VPN with DVTI Overview

IPsec VTI (Virtual Tunnel Interfaces)

  • IPsec deployment that allow you to configure a virtual interface to which you can apply features
    • Features: NAT, ACLs, QoS, NetFlow, VRF, etc.
    • Features for clear-text packets are applied on the VTI
    • Features for encrypted packets are applied on the phyiscal outside interface
  • There are 2 types of VTI interfaces:
    • Static VTI (SVTI): used for site-to-site IPsec VPN
    • Dynamic VTI (DVTI): mainly used for remote-access SSL/IPsec VPN

 

IPsec VPN with DVTI (Dynamic VTI)

  • A.k.a Enhanced EzVPN (EEzVPN)
  • Configure virtual-template on the head-end (as a Crypto listener)
  • Dynamically instantiated IPsec Virtual-Access interface (not configurable, cloned from virtual-template)
  • Created on an incoming IPsec tunnel request
  • Interface state tied to underlying crypto socket state (IPsec SA)
  • Can support multiple IPsec SAs per DVTI
    • While SVTI support only a single IPsec SA per VTI (always “IP any any”)
  • DVTI uses auto-RRI to further simplify the routing configurations

 

DVTI Overview

DVTI benefits

  • Provide highly secure and scalable connectivity for remote-access VPN
    • Dynamic hub-and-spoke method for establishing IPsec VPN tunnels
    • Eliminates crypto maps, crypto ACLs, and GRE encapsulation (if used)
    • Requires minimal configuration, a single virtual template can be configured and cloned
  • Tunnel-specific features can be applied
    • NAT, ACLs, QoS, NetFlow, VRF, dynamic routing
  • Integrated with Cisco EEzVPN Solution
    • Support per-group and per-user attributes on EEzVPN servers
    • Enhanced EzVPN server: crypto isakmp profile, crypto ipsec profile, interface Virtual-Template1
    • Enhanced EzVPN remote: interface Virtual-Template1
    • Also integrated with Cisco VPN Client, and legacy EzVPN remote
  • DVTI can also be used in site-to-site scenarios
    • HUB is using DTVI, Spokes can be using SVTI or crypto map

 

Per-User Attribute Support for EzVPN Servers

  • Local EzVPN AAA server
    • Applied at the group level or at the user level using the CLI
    • Example: attribute type inacl “per-group-acl” service ike protocol ip mandatory
  • Remote EzVPN AA server
    • Applied using Cisco RADIUS AV pairs
    • Supported per-user attributes: inacl, interface-config, outacl, route, policy-route, prefix, …
    • Format: cisco-avpair= “<protocol:attribute> <sep> <value>”
    • Example: cisco-avpair = “ip:outacl#101=permit tcp any any established”

Recent Comments

    0 Comments

    Submit a Comment

    Your email address will not be published. Required fields are marked *