IPsec Tunnel Interfaces Using Static VTI (CCIE Notes)


To minimize the complexity of configuration we can use IPsec profiles and associate them to Virtual Tunnel Interfaces. Its more like a Route Based VPN in Juniper NetScreen. There are other reasons why you would want to consider using VTIs to implement GRE over IPsec and they can be found here.

Jeremy Stretch has written a fantastic post on configuring GRE over IPsec using VTIs in the most simplest way possible – http://packetlife.net/blog/2008/jul/14/ipsec-quick-and-dirty/ so i won’t be bothering to include that all over again.

Just adding some notes below for my reference;

Notes:

  • By default the IPsec SA will be created for the tunnel source and destination IP using ‘GRE’ (protocol 47) to carry multicast traffic.
interface Tunnel12
 ip address 192.168.12.1 255.255.255.0
 tunnel source 10.1.101.1
 tunnel destination 192.168.1.2
 tunnel protection ipsec profile P2-PROFILE
end

R1#sh crypto ipsec sa

interface: Tunnel12
 Crypto map tag: Tunnel12-head-0, local addr 10.1.101.1

protected vrf: (none)
 local ident (addr/mask/prot/port): (10.1.101.1/255.255.255.255/47/0)
 remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/47/0)
  • If the command tunnel mode ipsec ipv4 is used – an “IP any any” (protocol 0) SA is created.
interface Tunnel12
 ip address 192.168.12.1 255.255.255.0
 tunnel source 10.1.101.1
 tunnel mode ipsec ipv4
 tunnel destination 192.168.1.2
 tunnel protection ipsec profile P2-PROFILE
end

R1#sh crypto ipsec sa

interface: Tunnel12
 Crypto map tag: Tunnel12-head-0, local addr 10.1.101.1

protected vrf: (none)
 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
 remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s