Select Page

IPsec VPN With SVTI

by | 9-May-2021 | Cisco, Security, VPN

The Overview

What is IPsec VTI (Virtual Tunel Interfaces)

  • 2 VTI variations
    • Static VTI (SVTI): used for site-to-site IPsec VPN
    • Dynamic VTI (DVTI): mainly used for remote-access SSL/IPsec VPN
  • Tunnel interface with direct IPsec encapsulation
    • #tunnel mode ipsec <ipv4|ipv6>
    • Encapsulation is similar with crypto map based, but having tunnel interface
    • Support to run routing protocol inside tunnel interface
    • Single protocol encapsulation
  • Direct integration between IPsec VPN and tunnel interface
    • #crypto ipsec profile (…)
    • Interface state tied to underlying crypto socket state (IPsec SA)
    • Replace crypto map configuration with crypto ipsec profile
    • Remove the needs to specify proxy ACL, peer address
    • Crypto profile is applied on interface tunnel (not physical interface)
    • Tunnel MTU is automatically adjusted for ESP overhead

IPsec VPN “Tunnel Mode” with STVI example

!! R2 !! !! R4 !!

! Routing

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.12.1

ip route 10.0.47.0 255.255.255.0 Tunnel24 172.16.24.4

 

! Tunnel Interface

interface Tunnel24

ip address 172.16.24.2 255.255.255.0

tunnel source 2.2.2.2

tunnel destination 4.4.4.4

tunnel mode ipsec ipv4

 

! Crypto endpoint authentication

crypto isakmp key ISAKMP_SECRET address 4.4.4.4

 

! ISAKMP/IKE Phase 1 security parameters

crypto isakmp policy 10

encryption des

hash md5

authentication pre-share

group 2

 

! ISAKMP/IKE Phase 2 security parameters

crypto ipsec transform-set XF esp-des esp-md5-hmac

mode tunnel

 

! Crypto profile parameters

crypto ipsec profile IPSEC_PROFILE

set transform-set XF

set pfs group2

 

! Apply crypto profile

interface Tunnel24

tunnel protection ipsec profile IPSEC_PROFILE

! Routing

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.34.3

ip route 10.0.26.0 255.255.255.0 Tunnel24 172.16.24.2

 

! Tunnel Interface

interface Tunnel24

ip address 172.16.24.4 255.255.255.0

tunnel source 4.4.4.4

tunnel destination 2.2.2.2

tunnel mode ipsec ipv4

 

! Crypto endpoint authentication

crypto isakmp key ISAKMP_SECRET address 2.2.2.2

 

! ISAKMP/IKE Phase 1 security parameters

crypto isakmp policy 10

encryption des

hash md5

authentication pre-share

group 2

 

! ISAKMP/IKE Phase 2 security parameters

crypto ipsec transform-set XF esp-des esp-md5-hmac

mode tunnel

 

! Crypto map parameters

crypto ipsec profile IPSEC_PROFILE

set transform-set XF

set pfs group2

 

! Apply crypto profile

interface Tunnel24

tunnel protection ipsec profile IPSEC_PROFILE

Verification

! Reset security association

clear crypto sa

clear crypto isakmp

 

! ISAKMP SA

R2#show crypto isakmp sa

 

dst             src             state          conn-id status

2.2.2.2         4.4.4.4         QM_IDLE           1004 ACTIVE

 

! IPsec SA

R2#show crypto ipsec sa

 

interface: Tunnel24

Crypto map tag: Tunnel24-head-0, local addr 2.2.2.2

local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 4.4.4.4 port 500

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

 

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 4.4.4.4

plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

PFS (Y/N): Y, DH group: group2

 

inbound esp sas:

spi: 0x169F8F12(379555602)

in use settings ={Tunnel, }

Status: ACTIVE(ACTIVE)

 

outbound esp sas:

spi: 0x67172F11(1729572625)

in use settings ={Tunnel, }

Status: ACTIVE(ACTIVE)

 

! Crypto Engine Connections

R2#show crypto engine connection active

 

ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address

9  IPsec   DES+MD5                   0        4        4 2.2.2.2

10  IPsec   DES+MD5                   4        0        0 2.2.2.2

1004  IKE     MD5+DES                   0        0        0 2.2.2.2

 

! Auto IP MTU

R2# ping 172.16.24.4 size 1446 df-bit
Sending 5, 1446-byte ICMP Echos to 172.16.24.4, timeout is 2 seconds:
!!!!!
R2# ping 172.16.24.4 size 1447 df-bit
Sending 5, 1447-byte ICMP Echos to 172.16.24.4, timeout is 2 seconds:
…..
R2#show ip interface Tunnel24 | include MTU
MTU is 1446 bytes

! Reset security association

clear crypto sa

clear crypto isakmp

 

! ISAKMP SA

R4#show crypto isakmp sa

 

dst             src             state          conn-id status

2.2.2.2         4.4.4.4         QM_IDLE           1004 ACTIVE

 

! IPsec SA

R4#show crypto ipsec sa

 

interface: Tunnel24

Crypto map tag: Tunnel24-head-0, local addr 4.4.4.4

local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 2.2.2.2 port 500

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

 

local crypto endpt.: 4.4.4.4, remote crypto endpt.: 2.2.2.2

plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

PFS (Y/N): Y, DH group: group2

 

inbound esp sas:

spi: 0x67172F11(1729572625)

in use settings ={Tunnel, }

Status: ACTIVE(ACTIVE)

 

outbound esp sas:

spi: 0x169F8F12(379555602)

in use settings ={Tunnel, }

Status: ACTIVE(ACTIVE)

 

! Crypto Engine Connections

R4#show crypto engine connection active

 

ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address

9  IPsec   DES+MD5                   0        4        4 4.4.4.4

10  IPsec   DES+MD5                   4        0        0 4.4.4.4

1004  IKE     MD5+DES                   0        0        0 4.4.4.4

 

 

 

 

 

 

 

 

 

 

 

 

Recent Comments

    0 Comments

    Submit a Comment

    Your email address will not be published. Required fields are marked *