« Ideal CCNA Lab Setup | Main | PIX Authentication Using Local User Database (and Kiwi CatTools) »
August 26, 2006
VPN Virtual Tunnel Interfaces
While doing a recent deployment, I ran across this concept. It's a slightly different way to configure VPNs on a Cisco router that (for me) is far less confusing and finicky. If you've ever configured VPNs using a PIX firewall or IOS router, you probably know of the pain associated with making sure your crypto map is correctly configured. There are SO MANY pieces of it, you're almost assured that something is not going to match between one side of the connection and the other (especially that "interesting traffic" ACL). That's where these IPSec Virtual Tunnel Interfaces come in. Check this out...
Instead of configuring crypto maps between your routers, you create virtual interfaces. So the VPN has it's own "point-to-point" style connection between sites. The best way to get this is to see a configuration example. I borrowed the syntax / graphic for this example from Richard Deal's Complete Cisco VPN Configuration Guide by Cisco Press (awesome book, by the way).
RouterA Configuration:
RTRA(config)# crypto isakmp policy 10
RTRA(config-isakmp)# encryption aes 128
RTRA(config-isakmp)# hash sha
RTRA(config-isakmp)# authentication pre-share
RTRA(config-isakmp)# group 2
RTRA(config-isakmp)# exit
RTRA(config)# crypto isakmp key cisco123 address 193.1.1.1 255.255.255.255 no-xauth
RTRA(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
RTRA(cfg-crypto-trans)# exit
RTRA(config)# crypto ipsec profile VTI
RTRA(ipsec-profile)# set transform-set RTRtran
RTRA(ipsec-profile)# exit
RTRA(config)# interface tunnel 0
RTRA(config-if)# ip address 192.168.3.1 255.255.255.0
RTRA(config-if)# tunnel source 192.1.1.1
RTRA(config-if)# tunnel destination 193.1.1.1
RTRA(config-if)# tunnel mode ipsec ipv4
RTRA(config-if)# tunnel protection ipsec VTI
RTRA(config)# interface Ethernet0/0
RTRA(config-if)# ip address 192.1.1.1 255.255.255.0
RTRA(config-if)# exit
RTRA(config)# interface Ethernet 1/0
RTRA(config-if)# ip address 192.168.1.1 255.255.255.0
RTRA(config-if)# exit
RTRA(config)# ip route 192.168.2.0 255.255.255.0 tunnel0
RouterB Configuration:
RTRB(config)# crypto isakmp policy 10
RTRB(config-isakmp)# encryption aes 128
RTRB(config-isakmp)# hash sha
RTRB(config-isakmp)# authentication pre-share
RTRB(config-isakmp)# group 2
RTRB(config-isakmp)# exit
RTRB(config)# crypto isakmp key cisco123 address 192.1.1.1 255.255.255.255 no-xauth
RTRB(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
RTRB(cfg-crypto-trans)# exit
RTRB(config)# crypto ipsec profile VTI
RTRB(ipsec-profile)# set transform-set RTRtran
RTRB(ipsec-profile)# exit
RTRB(config)# interface tunnel 0
RTRB(config-if)# ip address 192.168.3.2 255.255.255.0
RTRB(config-if)# tunnel source 193.1.1.1
RTRB(config-if)# tunnel destination 192.1.1.1
RTRB(config-if)# tunnel mode ipsec ipv4
RTRB(config-if)# tunnel protection ipsec VTI
RTRB(config)# interface Ethernet0/0
RTRB(config-if)# ip address 193.1.1.1 255.255.255.0
RTRB(config-if)# exit
RTRB(config)# interface Ethernet 1/0
RTRB(config-if)# ip address 192.168.2.1 255.255.255.0
RTRB(config-if)# exit
RTRB(config)# ip route 192.168.1.0 255.255.255.0 tunnel0
The configuration is pretty straightforward, especially if you've configured GRE tunnels before. The difference is you use the "tunnel mode ipsec ipv4" command to notify the router that this is an IPSec-based interface rather than GRE and the "tunnel protection ipsec
The best part of the whole thing is NO CRYPTO MAPS!!! :) I love it - traffic is associated with a remote site using "ip route" static routes rather than mirrored ACLs. Awesome stuff!
Posted by JC at August 26, 2006 9:28 AM
Trackback Pings
TrackBack URL for this entry:
http://www.cioara.org/cgi-bin/mt-tb.cgi/104
Comments
Nice post, Jeremy. This is a neat case for using virtual tunnel interfaces with IPsec. Do you know when the "crypto ipsec profile VTI" command was introduced? I checked http://www.cisco.com/univercd, and couldn't determine the earliest version of IOS that has the VTI argument.
Thanks!
-Jeremy
Posted by: Jeremy at August 28, 2006 2:23 PM
Thanks for useful post!
Posted by: Tim at August 30, 2006 9:38 PM
Once again Jeremy you deliver top notch material. I have been using your CBT based materials for years now and each time your lab exercises help the "penny drop". Thanks once again.
Posted by: Smooth at September 6, 2006 6:12 AM
I wonder if building an interface for VPN's, will allow us to start using OSPF, since the Tunnel now has "link state"?
Even though IPSec won't allow you to multicast, you should still be able to configure OSPF at the other side, wouldn't you think?
Hmmmmm
Good Post.
Posted by: Aaron Paxson at September 23, 2006 7:21 AM
Yup - even OSPF works across it. The GRE tunnel allows it (along with all MCast traffic). IPSec is just used for the security features (encrypt/hash/etc) on top if it.
Posted by: Jeremy at September 25, 2006 9:10 AM
Thanks for the great post. I would like to add that when implementing the command:
crypto isakmp key cisco123 address 192.1.1.1 255.255.255.255 no-xauth
make sure that immediately following the word key you add in a 0 which specifies that following the 0 will be your plain text key. This hung me up for like a day. it shows up in IOS help, but not in any config documentation...as when you actually implement it, in the config that 0 does not show up either.
Posted by: Joe at October 23, 2006 11:13 AM
Trying to do this setup between a 870 and a 2800.
The tunnel comes up fine if I run in tunnelmode, but when changing to
ENCRYPT-3DES esp-3des esp-md5-hmac
mode transport require
The tunnel never comes up, any ideas?
Posted by: Mathias Kanstup at November 3, 2006 3:34 AM
Joe; only tunnel mode is supported; transport mode is not working in this kind of config.
by the way; I can pass EIGRP through the tunnel; any ideas?
Posted by: xavi at November 24, 2006 4:45 PM
Jeremy,
I watched this setup in your ISCW nuggets but you only showed it from the SDM tool. So seeing this command line was great since I just had to try it. Well I ran into 1 error from above, easy catch:
RTRA(config-if)# tunnel protection ipsec VTI
needed the profile before the VTI. So I corrected that, but still had no luck pinging from LAN A to LAN B. When I did a show isakmp I seen the QM-Idle which from what I remember means the tunnel is established. I did not setup any routing protocols yet. Could this have been the reason?
Thanks
Dave
Posted by: David Lundgren at November 28, 2006 2:23 PM
Yeah, nice configuration but take care to Qos and high availability limitations and other issues !!!
Posted by: bugueur at December 20, 2006 2:38 PM
I setup the VPN tunnel interface between two Cisco 1841 routers. These routers require the command:
tunnel protection ipsec profile VTI
After getting everything setup and working, I tested the configuration by sniffing the interface traffic (fa0/1 in my case). I was surprised to see that there is traffic coming straight into the interface that's not encrypted and getting responses from my internal network. I tried putting in an access list that would only receive traffic from the other side of the VPN (the tunnel IPs) and it blocks everything...
I could write a very specific access-list for each side of the tunnel, but this seems to be more difficult than using the crypto maps. Has anyone else tested this configuration and seen the same results? If so, how have you blocked the unencrypted traffic from coming into your network?
Thanks,
Don
Posted by: Don Swift at December 22, 2006 5:25 AM
I setup the configuration based on the configuration on this page. When sniffing the Internet interface, I see unencrypted packets on the network and can ping a server located inside my network. To test this, using the IP addreses above, setup a sniffer with the IP of 192.1.1.2 and put it on the E0/0 interface. Apparently, the router puts priority on acting as a router and not as an IPSEC gateway.
I've tried to block anything outside of the remote end of the VPN using access lists, but my access list turns out to be worse than building the crypto maps. I cannot simply permit both IP addresses on both ends of the VPN (192.168.3.1 and 192.168.3.2) or the ethernet interface (192.1.1.1 and 193.1.1.1). It looks like I have to include 192.168.2.0 and 192.168.1.0 in this scenario and possibly 192.168.3.0.
Has anyone else done this type of troubleshooting to see how to resolve this problem with the VPN?
Thanks, Don
Posted by: Don Swift at December 22, 2006 11:15 AM
With the above configuration, do you need to specify IP addresses for the tunnel interface?
ie. We are trying to setup a VPN between an 1841 and a 7206. The company with the 7200 series will not supply a config. I do not want any ip addressing on the GRE tunnel, just a straight tunnel to access the remote network
Posted by: Andrew at February 14, 2007 8:45 PM
We need to configure two sites of our office through router by using VPN tunnel. Also we want access the internet on both sides.
Posted by: Munish at March 15, 2007 4:34 AM
need it
Posted by: naren at March 15, 2007 4:40 AM
Excellent config. worked like a charm
Posted by: ken at March 27, 2007 9:36 AM
Hi Jeremy. This is very helpful, In fact I am working on a project which has quite similar setup. Basically, they have existing MPLS link and need to setup a virtual tunnel interface. The MPLS should be the primary link and the VTI will serve as a backup. Failover will be based from the BGP routing table. Can this work using BGP? Does it advertise BGP routes across the link? They do have an L3 switch inside the LAN and this should also participate in propagating BGP routes. The L3 switch should decide which link to use e.g. MPLS went down, L3 will tell the rest to use VTI to reach remote routers.
MPLS Router ----[LAN with L3 Switch]-----Internet Router.
We will terminate VTI using internet router. L3 must learn the routes from both MPLS and Internet routes so as to understand which link to go whenever one becomes unavailable and in turn must fall back when primary link (MPLS) come back up. Is this possible/feasible? Any suggestion? Thank you
Posted by: Vida at May 7, 2007 8:30 AM
Hi Jeremy. Config is very clean and quick. However I got a problem.
At the moment I am using your config on 2 cisco 877. The tunnel light is up and I can only ping router B from within router A. But I can't ping router B from a computer on router A network.
Thanks,
Quang
Posted by: Simon at August 19, 2007 8:19 PM
Hi Jeremy. All fix, my mistake silly acl rule.
Thanks,
Quang
Posted by: Simon at August 19, 2007 8:37 PM
Hello there Jeremy,
I'd like to thank you for the enlightment of your post and I would also like to take the chance and agree with you on the crypto map issue when your only hooking up non encrypted sites. The fact that you can use static routes to handle all your traffic with tunnel interfaces is most important. You can of course add crypto maps to the tunnel interface and then pul up a helper address with rip v2 to make things funnly automated.
Believe me after 9 hours of working on a vpn project I had to get down to , your post was most helpful.
Thanks once again.
Mario
Posted by: Mario A. Spinthiras at September 20, 2007 10:57 AM
Would it be possible to share an example where you also have Remote VPN Clients connecting in a sort of Dynamic fashion and keep the L2L tunnels up?
Excellent Info by the way!
Posted by: Lola at May 4, 2008 9:13 PM