Site-to-Site Virtual Tunnel Interface (VTI) Over IPSec

An IPsec Virtual Tunnel Interface (VTI) is a routable virtual interface type for terminating IPsec tunnels, and it provides a simple way to establish security between sites to create an overlay network. IPsec Virtual Tunnel Interfaces improve and simplify IPsec configuration using Virtual Private Network (VPN) tunnels.


VTI Over IPsec Configuration

There are two types of VTI, Dynamic Virtual Tunnel Interface (DVTI) and Static Virtual Tunnel Interface (SVTI). Only the static VTI configuration with IPSec session and normal tunnel interface will be explained here.

The network topology below shows two routers to be connected using static VTI over IPsec VPN. The configuration is pretty much the same with the GRE over IPsec using IPsec profiles configuration. The only difference is the additional ‘tunnel mode ipsec {ipv4 | ipv6}’ command under the GRE tunnel interface to enable VTI and to use tunnel mode instead of transport mode.


Virtual Tunnel Interface

In the example, the IP addresses and the initial routes are already configured on both routers. So for the first step, configure an ISAKMP policy on Router1.

Router1(config)#crypto isakmp policy 1
Router1(config-isakmp)#encryption aes
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 14


Next, configure the Pre Shared Key (PSK). STUDY-CCNP is the keystring, and is the peer-address.

Router1(config-isakmp)#crypto isakmp key STUDY-CCNP address


Create a transform set and set the mode to tunnel. T-SET is the transform set name, and esp-aes and esp-sha-hmac are the transforms inside the set.

Router1(config)#crypto ipsec transform-set T-SET esp-aes esp-sha-hmac
Router1(cfg-crypto-trans)#mode tunnel


Create an IPsec profile and select the transform set to be used by the profile. PROFILE is the IPsec profile name. The T-SET is the name of the transform set created in the previous step.

Router1(config)#crypto ipsec profile PROFILE
Router1(ipsec-profile)#set transform-set T-SET


Now, configure the tunnel interface.

Router1(config)#interface Tunnel 1
Router1(config-if)#ip address
Router1(config-if)#tunnel source
Router1(config-if)#tunnel destination


Then, under the tunnel interface mode, enable VTI and apply the IPSec profile using the following commands.

Router1(config-if)#tunnel mode ipsec ipv4
Router1(config-if)#tunnel protection ipsec profile PROFILE


For Router2, it’s pretty much the same.

Router2#configure terminal
Router2(config)#crypto isakmp policy 1
Router2(config-isakmp)# encryption aes
Router2(config-isakmp)# authentication pre-share
Router2(config-isakmp)# group 14
Router2(config-isakmp)#crypto isakmp key STUDY-CCNP address
Router2(config)#crypto ipsec transform-set T-SET esp-aes esp-sha-hmac
Router2(cfg-crypto-trans)# mode tunnel
Router2(cfg-crypto-trans)# exit
Router2(config)#crypto ipsec profile PROFILE
Router2(ipsec-profile)# set transform-set T-SET
Router2(config)#interface Tunnel 1
Router2(config-if)# ip address
Router2(config-if)# tunnel source
Router2(config-if)# tunnel destination
Router2(config-if)# tunnel mode ipsec ipv4
Router2(config-if)# tunnel protection ipsec profile PROFILE


Also, make sure to configure the routes that point to the subnet on each side with the tunnel interface as the destination.

Router1(config)#ip route Tunnel1
Router2(config)#ip route Tunnel1


Verifying IPsec Virtual Tunnel Interface (VTI)

To verify the VTI over IPsec tunnel configuration, the command ‘show interface tunnel1’ can be used. It shows the tunnel status and type, the tunnel internet address, and the tunnel IPsec profile.

The ‘show crypto session’ command also shows the tunnel status and its peer.

Router1#show crypto session
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: port 500
Session ID: 0
IKEv1 SA: local remote Active
Session ID: 0
IKEv1 SA: local remote Active
IPSEC FLOW: permit ip
Active SAs: 6, origin: crypto map


Other useful show commands for verification are ‘show crypto isakmp sa’ and ‘show crypto ipsec sa’.

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: