Starting in version 12.3T (which is some time ago), Cisco started offering an alternative for configuring IOS based VPN’s. This method is called SVTI, or static virtual tunnel interfaces. SVTI is one category of VTI that is basically a configuration alternative for Lan to Lan VPNs. There is also a variant called DVTI, or dynamic virtual tunnel interface, that is a alternative for remote access VPNs. From the perspective of the wire, SVTI based VPN packets look similar to traditional “crypto-map” based VPN traffic. However, the configuration is based on a virtual interface as opposed to using crypto map based configuration. This virtual interface gives some distinct advantages. Additionally, the use of this configuration modifies the phase 2 sa’s to match all traffic. Any traffic steered through this virtual interface is encrypted based on an encryption profile.Before we get into the specific advantages, let’s first look at a VTI configuration example. I created a very simple example in GNS3 that demonstrates the syntax of the configuration.
In this example, traffic sent between the loopbacks will be encrypted and tunnelled between the tunnel interfaces. Here is the relevant configuration.
//R1 Configuration interface Serial0/0 ip address 220.127.116.11 255.255.255.0 interface Loopback1 ip address 192.168.1.1 255.255.255.0 //VPN Phase 1 crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key Cisco12345 address 18.104.22.168 //Phase 2 Transform Set crypto ipsec transform-set MyTunnel esp-3des esp-sha-hmac //IPSec Profile crypto ipsec profile MyProf set transform-set MyTunnel //Tunnel Interface interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source 22.214.171.124 tunnel destination 126.96.36.199 tunnel mode ipsec ipv4 tunnel protection ipsec profile MyProf //Routing Protocol--Yep it will work on this type of IPSec deployment router eigrp 1 network 10.0.0.0 network 192.168.1.0 //R2 Configuration interface Serial0/0 ip address 188.8.131.52 255.255.255.0 interface Loopback1 ip address 192.168.2.2 255.255.255.0 //VPN Phase 1 crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key Cisco12345 address 184.108.40.206 //Phase 2 Transform Set crypto ipsec transform-set MyTunnel esp-3des esp-sha-hmac //IPSec Profile crypto ipsec profile MyProf set transform-set MyTunnel //Tunnel Interface interface Tunnel0 ip address 10.0.0.2 255.255.255.0 tunnel source 220.127.116.11 tunnel destination 18.104.22.168 tunnel mode ipsec ipv4 tunnel protection ipsec profile MyProf //Routing Protocol router eigrp 1 network 10.0.0.0 network 192.168.2.0
So what are the advantages of this type of configuration? To address this question, we need to consider two possible alternative configurations. The first would be using a traditional crypto-map based configuration. In comparison, the SVTI configuration offers a virtual interface. This is really a convenient and natural place to configure things like ACL’s and other interface specific options. It also gives us the ability to do NAT in a less complex manner. Another major benefit is the ability to send multicast traffic. This ability to use dynamic routing protocols is a serious limitation in traditional IPSec configurations. From the wire, everything still appears to be ESP (protocol 50) packets and there is no additional packet overhead when compared to crypto-map based configurations.
Another configuration that SVTI’s should be compared to is GRE based tunnels. GRE tunnels can be configured with the same connection protection and basically the same advantages. Unlike VTI, GRE can additionally handle non IP traffic. The only disadvantage to GRE is an additional header. This results in larger packets and can minimally increase the bandwidth requirements. Although changing the IPSec to operate in achieve“transport” mode can minimize the effect, the packets will still be slightly larger than crypto-map or VTI based configurations.
In summary, VTI is really cool for a few reasons. It gives us a simpler and more understandable configuration syntax. It simplifies NAT, ACLs and other interface specific configurations. Additionally, the ability to carry dynamic routing protocols is often a required feature. The main disadvantage to VTI is its lack of support. Currently it is supported on Cisco IOS based devices. So for those of us that love the ASA, we can only wait and hope that this support will someday be added.