Transcription of Virtual Tunnel Interface - Cisco
1 VirtualTunnelInterfaceThis chapterdescribeshow to configurea VTI Tunnel . About Virtual Tunnel Interfaces, on page 1 Guidelinesfor Virtual Tunnel Interfaces, on page 1 Create a VTI Tunnel , on page 2 AboutVirtualTunnelInterfacesThe ASA supportsa logicalinterfacecalled Virtual Tunnel Interface (VTI). As an alternativeto policy basedVPN, a VPN Tunnel can be createdbetweenpeers with Virtual Tunnel supportsroute based VPN with IPsec profilesattachedto the end of each allows dynamicor static routesto be used.
2 Egressingtraffic from the VTI is encryptedand sent to the peer, and the associatedSA decryptsthe ingresstraffic to the VTI does away with the requirementof configuringstatic crypto map access lists and mappingthemto no longer have to track all remotesubnetsand includethem in the crypto map access , and havingstatic VTI which supportsroute based VPN with dynamicroutingprotocolalso satisfiesmany requirementsof a Virtual VirtualTunnelInterfacesGeneralConfigurat ionGuidelines VTIs are only configurablein IPsec mode.
3 To terminateGRE tunnelson an ASA is unsupported. You can use dynamicor static routes for traffic using the Tunnel Interface . The MTU for VTIs is automaticallyset, accordingto the , if youchangethe physicalinterfaceMTU after the VTI is enabled,you must disableand reenablethe VTI touse the new MTU setting. VTI supportsIKEv1and uses IPsec for sendingand receivingdata betweenthe Tunnel 'ssource anddestination. If NetworkAddressTranslationhas to be applied,the IKE and ESP packetswill be encapsulatedin theUDP ensuresthat VTI tunnelsare alwaysup.
4 Tunnel group name must match what the peer will send as its IKEv1identity. For IKEv1in LAN-to-LANtunnel groups,you can use names which are not IP addresses,if the tunnelauthenticationmethodis digital certificatesand/or the peer is configuredto use aggressivemode. VTIandcryptomapconfigurationscanco-exist onthesamephysicalinterface,providedthepe eraddressconfiguredin the crypto map and the Tunnel destinationfor the VTI are different. By default,all traffic throughVTI is encrypted. By default,the securitylevel for VTI interfacesis 0.
5 Accesslist can be appliedon a VTI interfaceto controltraffic throughVTI. Only BGP is supportedover VTI. IfASAisterminatingIOSIKEv2 VTIclients,disabletheconfig-exchangerequ estonIOS,becauseASAcannotretrievethe mode-CFGattributesfor this L2L sessioninitiatedby an IOS VTI is not single mode routed mode is not supportedon Virtual Tunnel Interfaces(VTIs).Createa VTI TunnelTo configurea VTI Tunnel ,create an IPsec proposal(transformset). You will need to create an IPsec profilethat referencesthe IPsec proposal,followedby a VTI interfacewith the IPsec remotepeer with identicalIPsec proposaland IPsec negotiationwill start when all tunnelparametersare ,andhasBGPadjacencyonthephysicalinterfac e:When a state changeis triggereddue to the interfacehealth check, the routes in the physicalinterfacewill VTI TunnelAccesscontrollists can be appliedon a VTI interfaceto controltraffic throughVTI.
6 To permit any packetsthat come from an IPsec Tunnel withoutcheckingACLs for the source and destinationinterfaces,enter thesysopt connectionpermit-vpncommandin global can use the followingcommandto enable IPsec traffic throughthe ASA withoutcheckingACLs:hostname(config)# sysoptconnectionpermit-vpnWhen an outsideinterfaceand VTI interfacehave the securitylevel of 0, if you have ACL appliedon VTIinterface,it will not be hit if you do not have same-security-traffic configurethis feature,use thesame-security-trafficcommandin global configurationmode with more information,see PermittingIntra-InterfaceTraffic (Hairpinning).
7 ProcedureStep1 Add an IPsec Proposal(TransformSets).Step2 Add an IPsec a VTI IPsecProposal(TransformSets)A transformset is requiredto secure traffic in a VTI as a part of the IPsec profile,it is a set ofsecurityprotocolsand algorithmsthat protectsthe traffic in the begin You can use either pre-sharedkey or certificatesfor authenticatingthe IKEv1sessionassociatedwith aVTI. You must configurethe pre-sharedkey under the Tunnel group used for the VTI. ForcertificatebasedauthenticationusingIK Ev1, the responder, you must configurethe trustpointin the IPsecProfileAn IPsec profilecontainsthe requiredsecurityprotocolsand algorithmsin the IPsec proposalor transformset that it ensuresa secure,logicalcommunicationpath betweentwo site-to-siteVTI a name for the profile:cryptoipsecprofilenameExample.
8 Ciscoasa(config)#cryptoipsecprofilePROFI LE1 VirtualTunnelInterface3 VirtualTunnelInterfaceAddan IPsecProposal(TransformSets)Step2 Set the the followingcommandin the crypto ipsec profilecommandsub-mode:set ikev1 transformsetset_nameIn this example,SET1 is the IKEv1proposalset (config-ipsec-profile)#set ikev1transform-setSET1 Step3(Optional)Specifythe durationof the securityassociation:set security-associationlifetime{secondsnumb er|kilobytes{number|unlimited}}Example:c iscoasa(config-ipsec-profile)#set security-associationlifetimeseconds120 kilobytes10000 Step4(Optional)Configurethe end of the VTI Tunnel to act only as a responder:responder-only You can configureone end of the VTI Tunnel to performonly as a responder.
9 The responder-onlyendwill not initiatethe Tunnel or (Optional)Specifythe PFS group. PerfectForwardSecrecy(PFS) generatesa uniquesessionkey for , you have to select the Diffie-Hellmankey derivationalgorithmto use when generatingthe PFS sessionkey. The key derivationalgorithmsgenerateIPsec securityassociation(SA) keys. Each group has a differentsize larger modulusprovideshigher security, but requiresmore processingtime. You must havematchingDiffie-Hellmangroupson both pfs{group1|group2|group5}Example:ciscoas a(config-ipsec-profile)#set pfs group2 Adda VTI InterfaceTo create a new VTI interfaceand establisha VTI Tunnel ,performthe followingsteps:ImplementIP SLA to ensure that the Tunnel remainsup when a router in the active Tunnel is a new Tunnel Interface :interfacetunneltunnel_interfac e_numberExample.
10 Ciscoasa(config)#interfacetunnel100 VirtualTunnelInterface4 VirtualTunnelInterfaceAdda VTI InterfaceSpecifya Tunnel ID, from a range of 0 to 100. Up to 100 VTI interfacesare you will be migratingconfigurationsfrom other devicesto ASA 5506 devices,use the Tunnel IDrange of 1 - 100. This is to ensure compatibilityof the Tunnel range of 1 - 100 availablein ASA5506 the name of the VTI the followingcommandin theinterfacetunnelcommandsubmode:nameifi nterfacenameExample:ciscoasa(config-if)# nameifvtiStep3 Enter the IP addressof the VTI addressIPaddressmaskExample:ciscoasa(con fig-if)#ip Tunnel source interfaceinterfacenameExample:ciscoasa(c onfig-if)#tunnelsourceinterfaceoutsideSt ep5 Specifythe Tunnel destinationIP :ciscoasa(config-if)# Tunnel with Tunnel mode IPsec.
