IPSec VPN Dynamic VTI Configuration with IKEv1 and IKEv2
Table of Contents
- What is IPSec Dynamic VTI? ‹
- IPSec Dynamic VTI IKEv1 configuration ‹
- IPSec Dynamic VTI IKEv2 configuration ‹
- Download section ‹
What is IPSec Dynamic VTI?
Dynamic VTI (DVTI) is a mechanism to automatically create on-demand Virtual-Access interfaces for network tunneling purposes. The configuration of a Virtual-Access interface is inherited (cloned) from a Virtual-Template interface. This means, it is only necessary to configure a single Virtual-Template interface on a router, and this can serve as the basis for dynamically creating multiple tunnel interfaces.
A benefit of DVTI is IP address conservation because a single Loopback IP address can be used for the automatically created Virtual-Access interfaces. Also, DVTI simplifies the configuration tasks because only a single Virtual-Template interface needs to be configured. Dynamic VTI is used with FlexVPN to enable spoke-to-spoke communication.
IPSec Dynamic VTI IKEv1 configuration
In this example hub-and-spoke topology, three sites are connected with point-to-point IPSec tunnels using IKEv1. R1 on the Hub site terminates the IPSec tunnels with a Dynamic Virtual Tunnel Interface (DVTI). This means, a Virtual-Template is configured in R1 using the IP address of interface Loopback10.
As a result of the Virtual-Template configuration, Virtual-Access interfaces are automatically created when a GRE tunnel is initiated from the spoke routers R2 or R3. The spoke routers have static tunnel interfaces (SVTI) configured. IPSec IKEv1 protection is applied to the tunnels on all routers. The routing protocol OSPF is configured to share prefixes from all sites.
Configuration:
R1
R1#show run int Virtual-Template 10 | sec int interface Virtual-Template10 type tunnel description ** Dynamic VTI IPsec tunnel ** ip unnumbered Loopback10 tunnel source GigabitEthernet0/1 tunnel protection ipsec profile IPSEC-PROFILE R1#show run int Lo10 | sec int interface Loopback10 ip address 172.16.1.1 255.255.255.255 R1#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to public network ** ip address 10.1.0.1 255.255.255.252 duplex auto speed auto media-type rj45 R1#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host1 ** ip address 192.168.1.1 255.255.255.0 duplex auto speed auto media-type rj45 R1#show run | sec ^crypto crypto keyring CRYPTO-KEYRING pre-shared-key address 10.2.0.1 key p4ssw0rd.123 pre-shared-key address 10.3.0.1 key p4ssw0rd.123 crypto isakmp policy 2 authentication pre-share crypto isakmp profile ISAKMP-PROFILE keyring CRYPTO-KEYRING match identity address 10.2.0.1 255.255.255.255 match identity address 10.3.0.1 255.255.255.255 virtual-template 10 crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes mode transport crypto ipsec profile IPSEC-PROFILE set transform-set CRYPTO-TRANSFORM set isakmp-profile ISAKMP-PROFILE R1#show run | sec ^router router ospf 10 router-id 1.1.1.1 network 172.16.1.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0 R1#show run | sec ^ip route ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 10.1.0.2
R2
R2#show run int Tu10 | sec int interface Tunnel10 description ** Static VTI IPSec tunnel ** ip address 172.16.1.2 255.255.255.255 tunnel source GigabitEthernet0/1 tunnel destination 10.1.0.1 tunnel protection ipsec profile IPSEC-PROFILE R2#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to public network ** ip address 10.2.0.1 255.255.255.252 duplex auto speed auto media-type rj45 R2#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host2 ** ip address 192.168.2.1 255.255.255.0 duplex auto speed auto media-type rj45 R2#show run | sec ^crypto crypto keyring CRYPTO-KEYRING pre-shared-key address 10.1.0.1 key p4ssw0rd.123 crypto isakmp policy 2 authentication pre-share crypto isakmp profile ISAKMP-PROFILE keyring CRYPTO-KEYRING match identity address 10.1.0.1 255.255.255.255 crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes mode transport crypto ipsec profile IPSEC-PROFILE set transform-set CRYPTO-TRANSFORM set isakmp-profile ISAKMP-PROFILE R2#show run | sec ^router router ospf 10 router-id 2.2.2.2 network 172.16.1.0 0.0.0.255 area 0 network 192.168.2.0 0.0.0.255 area 0 R2#show run | sec ^ip route ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 10.2.0.2
R3
R3#show run int Tu10 | sec int interface Tunnel10 description ** Static VTI IPSec tunnel ** ip address 172.16.1.3 255.255.255.255 tunnel source GigabitEthernet0/1 tunnel destination 10.1.0.1 tunnel protection ipsec profile IPSEC-PROFILE R3#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to public network ** ip address 10.3.0.1 255.255.255.252 duplex auto speed auto media-type rj45 R3#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host3 ** ip address 192.168.3.1 255.255.255.0 duplex auto speed auto media-type rj45 R3#show run | sec ^crypto crypto keyring CRYPTO-KEYRING pre-shared-key address 10.1.0.1 key p4ssw0rd.123 crypto isakmp policy 2 authentication pre-share crypto isakmp profile ISAKMP-PROFILE keyring CRYPTO-KEYRING match identity address 10.1.0.1 255.255.255.255 crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes mode transport crypto ipsec profile IPSEC-PROFILE set transform-set CRYPTO-TRANSFORM set isakmp-profile ISAKMP-PROFILE R3#show run | sec ^router router ospf 10 router-id 3.3.3.3 network 172.16.1.0 0.0.0.255 area 0 network 192.168.3.0 0.0.0.255 area 0 R3#show run | sec ^ip route ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 10.3.0.2
R1#show ip int br Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 192.168.1.1 YES manual up up GigabitEthernet0/1 10.1.0.1 YES manual up up GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset administratively down down Loopback10 172.16.1.1 YES manual up up NVI0 192.168.1.1 YES unset up up Virtual-Access1 172.16.1.1 YES unset up up « Virtual-Access interface dynamically created Virtual-Access2 172.16.1.1 YES unset up up Virtual-Template10 172.16.1.1 YES unset up down R1#show interfaces Virtual-Template 10 | section member Set of tunnels with source GigabitEthernet0/1, 3 members (includes iterators), on interfaceR1#show crypto session brief Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating K - No IKE ivrf = (none) Peer I/F Username Group/Phase1_id Uptime Status 10.3.0.1 Vi2 10.3.0.1 01:42:57 UA « IPsec tunnel established through Vi interface 10.2.0.1 Vi1 10.2.0.1 01:43:21 UA R1#show crypto session Crypto session current status Interface: Virtual-Access2 Profile: ISAKMP-PROFILE Session status: UP-ACTIVE Peer: 10.3.0.1 port 500 Session ID: 0 IKEv1 SA: local 10.1.0.1/500 remote 10.3.0.1/500 Active « IKEv1 is used IPSEC FLOW: permit 47 host 10.1.0.1 host 10.3.0.1 Active SAs: 2, origin: crypto map Interface: Virtual-Access1 Profile: ISAKMP-PROFILE Session status: UP-ACTIVE Peer: 10.2.0.1 port 500 Session ID: 0 IKEv1 SA: local 10.1.0.1/500 remote 10.2.0.1/500 Active IPSEC FLOW: permit 47 host 10.1.0.1 host 10.2.0.1 Active SAs: 2, origin: crypto map R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 2.2.2.2 0 FULL/ - 00:00:37 172.16.1.2 Virtual-Access1 « OSPF neighborship through Vi interface 3.3.3.3 0 FULL/ - 00:00:38 172.16.1.3 Virtual-Access2 R1#show ip route ospf | begin Ga Gateway of last resort is 10.1.0.2 to network 0.0.0.0 172.16.0.0/32 is subnetted, 3 subnets O 172.16.1.2 [110/2000] via 172.16.1.2, 01:13:41, Virtual-Access1 O 172.16.1.3 [110/2000] via 172.16.1.3, 01:13:31, Virtual-Access2 O 192.168.2.0/24 [110/1001] via 172.16.1.2, 01:25:52, Virtual-Access1 O 192.168.3.0/24 [110/1001] via 172.16.1.3, 01:25:52, Virtual-Access2 Host2#trace 192.168.3.2 probe 1 Type escape sequence to abort. Tracing the route to 192.168.3.2 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.2.1 1 msec 2 172.16.1.1 27 msec « Traffic from Host2 to Host3 goes through Hub router R1 3 172.16.1.3 52 msec 4 192.168.3.2 53 msec Host2#trace 192.168.1.2 probe 1 Type escape sequence to abort. Tracing the route to 192.168.1.2 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.2.1 1 msec 2 172.16.1.1 27 msec 3 192.168.1.2 28 msec
As visible in the above outputs, the DVTI configuration on R1 dynamically creates Virtual-Access interfaces which are used to terminate IPSec tunnels and to form OSPF neighborships. Note that on the spoke routers R2 and R3 static tunnel interfaces (SVTI) are used as shown below.
R2#show crypto session brief Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating K - No IKE ivrf = (none) Peer I/F Username Group/Phase1_id Uptime Status 10.1.0.1 Tu10 10.1.0.1 01:50:50 UA R2#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 0 FULL/ - 00:00:30 172.16.1.1 Tunnel10 R2#show ip route ospf | beg Ga Gateway of last resort is 10.2.0.2 to network 0.0.0.0 172.16.0.0/32 is subnetted, 3 subnets O 172.16.1.1 [110/1001] via 172.16.1.1, 01:19:56, Tunnel10 O 172.16.1.3 [110/3000] via 172.16.1.1, 01:19:46, Tunnel10 O 192.168.1.0/24 [110/1001] via 172.16.1.1, 01:19:56, Tunnel10 O 192.168.3.0/24 [110/2001] via 172.16.1.1, 01:19:56, Tunnel10
IPSec Dynamic VTI IKEv2 configuration
The following is the same example topology used in the first scenario, however now IPSec is configured with IKEv2. The Hub router R1 has a Virtual-Template interface configured with IPSec tunnel protection using IKEv2. The spoke routers R2 and R3 connect to the Hub router through Static VTI interfaces. IKEv2 provides security improvements over IKEv1.
Configuration:
R1
R1#show run int Virtual-Template 10 | sec int interface Virtual-Template10 type tunnel description ** Dynamic VTI IPsec tunnel ** ip unnumbered Loopback10 tunnel source GigabitEthernet0/1 tunnel protection ipsec profile IPSEC-PROFILE R1#show run int Lo10 | sec int interface Loopback10 ip address 172.16.1.1 255.255.255.255 R1#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to public network ** ip address 10.1.0.1 255.255.255.252 duplex auto speed auto media-type rj45 R1#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host1 ** ip address 192.168.1.1 255.255.255.0 duplex auto speed auto media-type rj45 R1#show run | sec ^crypto crypto ikev2 proposal CRYPTO-PROPOSAL encryption aes-cbc-256 integrity sha256 group 14 crypto ikev2 policy CRYPTO-POLICY match address local 10.1.0.1 proposal CRYPTO-PROPOSAL crypto ikev2 keyring CRYPTO-KEYRING peer CRYPTO-PEER address 0.0.0.0 0.0.0.0 pre-shared-key p4ssw0rd.123 ! crypto ikev2 profile IKEv2-PROFILE match identity remote address 10.2.0.1 255.255.255.255 match identity remote address 10.3.0.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local CRYPTO-KEYRING virtual-template 10 crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes mode transport crypto ipsec profile IPSEC-PROFILE set transform-set CRYPTO-TRANSFORM set ikev2-profile IKEv2-PROFILE R1#show run | sec ^router router ospf 10 router-id 1.1.1.1 network 172.16.1.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0 R1#show run | sec ^ip route ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 10.1.0.2
R2
R2#show run int Tu10 | sec int interface Tunnel10 description ** Static VTI IPSec tunnel ** ip address 172.16.1.2 255.255.255.255 tunnel source GigabitEthernet0/1 tunnel destination 10.1.0.1 tunnel protection ipsec profile IPSEC-PROFILE R2#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to public network ** ip address 10.2.0.1 255.255.255.252 duplex auto speed auto media-type rj45 R2#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host2 ** ip address 192.168.2.1 255.255.255.0 duplex auto speed auto media-type rj45 R2#show run | sec ^crypto crypto ikev2 proposal CRYPTO-PROPOSAL encryption aes-cbc-256 integrity sha256 group 14 crypto ikev2 policy CRYPTO-POLICY match address local 10.2.0.1 proposal CRYPTO-PROPOSAL crypto ikev2 keyring CRYPTO-KEYRING peer CRYPTO-PEER address 10.1.0.1 pre-shared-key p4ssw0rd.123 ! crypto ikev2 profile IKEv2-PROFILE match identity remote address 10.1.0.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local CRYPTO-KEYRING crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes mode transport crypto ipsec profile IPSEC-PROFILE set transform-set CRYPTO-TRANSFORM set ikev2-profile IKEv2-PROFILE R2#show run | sec ^router router ospf 10 router-id 2.2.2.2 network 172.16.1.0 0.0.0.255 area 0 network 192.168.2.0 0.0.0.255 area 0 R2#show run | sec ^ip route ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 10.2.0.2
R3
R3#show run int Tu10 | sec int interface Tunnel10 description ** Static VTI IPSec tunnel ** ip address 172.16.1.3 255.255.255.255 tunnel source GigabitEthernet0/1 tunnel destination 10.1.0.1 tunnel protection ipsec profile IPSEC-PROFILE R3#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to public network ** ip address 10.3.0.1 255.255.255.252 duplex auto speed auto media-type rj45 R3#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host3 ** ip address 192.168.3.1 255.255.255.0 duplex auto speed auto media-type rj45 R3#show run | sec ^crypto crypto ikev2 proposal CRYPTO-PROPOSAL encryption aes-cbc-256 integrity sha256 group 14 crypto ikev2 policy CRYPTO-POLICY match address local 10.3.0.1 proposal CRYPTO-PROPOSAL crypto ikev2 keyring CRYPTO-KEYRING peer CRYPTO-PEER address 10.1.0.1 pre-shared-key p4ssw0rd.123 ! crypto ikev2 profile IKEv2-PROFILE match identity remote address 10.1.0.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local CRYPTO-KEYRING crypto ipsec transform-set CRYPTO-TRANSFORM esp-aes mode transport crypto ipsec profile IPSEC-PROFILE set transform-set CRYPTO-TRANSFORM set ikev2-profile IKEv2-PROFILE R3#show run | sec ^router router ospf 10 router-id 3.3.3.3 network 172.16.1.0 0.0.0.255 area 0 network 192.168.3.0 0.0.0.255 area 0 R3#show run | sec ^ip route ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 10.3.0.2
R1#show crypto session Crypto session current status Interface: Virtual-Access2 Profile: IKEv2-PROFILE Session status: UP-ACTIVE Peer: 10.3.0.1 port 500 Session ID: 15 IKEv2 SA: local 10.1.0.1/500 remote 10.3.0.1/500 Active « IKEv2 Security Association is used IPSEC FLOW: permit 47 host 10.1.0.1 host 10.3.0.1 Active SAs: 2, origin: crypto map Interface: Virtual-Access1 Profile: IKEv2-PROFILE Session status: UP-ACTIVE Peer: 10.2.0.1 port 500 Session ID: 10 IKEv2 SA: local 10.1.0.1/500 remote 10.2.0.1/500 Active IPSEC FLOW: permit 47 host 10.1.0.1 host 10.2.0.1 Active SAs: 2, origin: crypto map R1#show crypto session brief Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating K - No IKE ivrf = (none) Peer I/F Username Group/Phase1_id Uptime Status 10.3.0.1 Vi2 10.3.0.1 00:17:14 UA « IPSec tunnels Up and Active on Vi interfaces 10.2.0.1 Vi1 10.2.0.1 00:21:00 UA Host2#trace 192.168.1.2 probe 1 Type escape sequence to abort. Tracing the route to 192.168.1.2 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.2.1 1 msec 2 172.16.1.1 26 msec 3 192.168.1.2 26 msec Host2#trace 192.168.3.2 probe 1 Type escape sequence to abort. Tracing the route to 192.168.3.2 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.2.1 2 msec 2 172.16.1.1 26 msec « Site-to-site traffic goes through the Hub router R1 3 172.16.1.3 50 msec 4 192.168.3.2 53 msec