Virtual Tunnel
Interface – Cisco ASA
The ASA supports a logical interface
called Virtual Tunnel Interface (VTI). As an alternative to policy based VPN, a
VPN tunnel can be created between peers with Virtual Tunnel Interfaces
configured. This supports route based VPN with IPsec profiles attached to the
end of each tunnel. This allows dynamic or static routes to be used. Egressing
traffic from the VTI is encrypted and sent to the peer, and the associated SA
decrypts the ingress traffic to the VTI.
Using VTI does away with the
requirement of configuring static crypto map access lists and mapping them to
interfaces. You no longer have to track all remote subnets and include them in
the crypto map access list. Deployments become easier, and having static VTI
which supports route based VPN with dynamic routing protocol also satisfies
many requirements of a virtual private cloud.
General Configuration Guidelines
·
You can use dynamic or static routes for traffic using the
tunnel interface.
·
The MTU for VTIs is automatically set, according to the
underlying physical interface.
·
VTI supports IKEv1 and uses IPsec for sending and receiving data
between the tunnel's source and destination.
·
If Network Address Translation has to be applied, the IKE and
ESP packets will be encapsulated in the UDP header.
·
IKE and IPsec security associations will be re-keyed
continuously regardless of data traffic in the tunnel. This ensures that VTI
tunnels are always up.
·
Tunnel group name must match what the peer will send as its
IKEv1 identity.
·
For IKEv1 in LAN-to-LAN tunnel groups, you can use names which
are not IP addresses, if the tunnel authentication method is digital
certificates and/or the peer is configured to use aggressive mode.
·
VTI and crypto map configurations can co-exist on the same
physical interface, provided the peer address configured in the crypto map and
the tunnel destination for the VTI are different.
·
By default, all traffic through VTI is encrypted.
·
There are no security level configurations for VTI interfaces.
·
Access list can be applied on a VTI interface to control traffic
through VTI.
·
Only BGP is supported over VTI.
Supported in single
mode only.
Supported in routed
mode only.
To configure a VTI
tunnel, create an IPsec proposal (transform set). You will need to create an
IPsec profile that references the IPsec proposal, followed by a VTI interface
with the IPsec profile. Configure the remote peer with identical IPsec proposal
and IPsec profile parameters. SA negotiation will start when all tunnel
parameters are configured.
 Note |
For
the ASA which is a part of both the VPN VTI domains, and has BGP adjacency on
the physical interface:
When
a state change is triggered due to the interface health check, the routes in
the physical interface will be deleted until BGP adjacency is re-established
with the new active peer. This behavior does not apply to logical VTI
interfaces.
|
Procedure
|
Step 1
|
Add an IPsec Proposal
(Transform Sets).
|
|
Step 2
|
Add an IPsec Profile.
|
|
Step 3
|
Add a VTI Tunnel.
|
A transform set is
required to secure traffic in a VTI tunnel. Used as a part of the IPsec
profile, it is a set of security protocols and algorithms that protects the
traffic in the VPN. Before You Begin
·
You can use either pre-shared key or certificates for
authenticating the IKEv1 session associated with a VTI. You must configure the
pre-shared key under the tunnel group used for the VTI.
·
For certificate based authentication using IKEv1, you must
specify the trustpoint to be used at the initiator. For the responder, you must
configure the trustpoint in the tunnel-group command.
Procedure
|
Add an IKEv1 transform set
that defines how to protect the traffic, enter the following command:
Example:
ciscoasa(config)#crypto ipsec ikev1
transform-set SET1 esp-aes esp-sha-hmac
|
An IPsec profile contains the
required security protocols and algorithms in the IPsec proposal or transform
set that it references. This ensures a secure, logical communication path
between two site-to-site VTI VPN peers.
Procedure
|
Step 1
|
crypto ipsec profile name
Example:
ciscoasa(config)#crypto ipsec profile PROFILE1
|
|
Step 2
|
Set the IKEv1 proposal. Enter
the following command in the crypto ipsec profile command sub-mode:
set ikev1 transform set set_name
In
this example, SET1 is the IKEv1 proposal set created previously.
ciscoasa(config-ipsec-profile)#set ikev1 transform-set SET1
|
|
Step 3
|
(Optional) Specify the
duration of the security association:
set security-association lifetime {seconds number | kilobytes {number | unlimited}}
Example:
ciscoasa(config-ipsec-profile)#set security-association
lifetime
seconds 120 kilobytes 10000
|
|
Step 4
|
(Optional) Configure the end
of the VTI tunnel to act only as a responder:
responder-only
|
|
Step 5
|
(Optional) Specify the PFS
group. Perfect Forward Secrecy (PFS) generates a unique session key for each
encrypted exchange. This unique session key protects the exchange from
subsequent decryption. To configure PFS, you have to select the
Diffie-Hellman key derivation algorithm to use when generating the PFS
session key. The key derivation algorithms generate IPsec security
association (SA) keys. Each group has a different size modulus. A larger
modulus provides higher security, but requires more processing time. You must
have matching Diffie-Hellman groups on both peers.
set pfs {group1 | group2 | group5}
Example:
ciscoasa(config-ipsec-profile)#set pfs group2
|
|
Note |
Implement IP SLA to ensure that the tunnel
remains up when a router in the active tunnel is unavailable. See Configure
Static Route Tracking in the ASA General Operations Configuration Guide
in http://www.cisco.com/go/asa-config.
|
|
Step 1
|
Create a new tunnel
interface:
interface tunnel tunnel_interface_number
Example:
ciscoasa(config)#interface tunnel 100
Specify
a tunnel ID, from a range of 0 to 100. Up to 100 VTI interfaces are
supported.
|
||
|
Step 2
|
Enter the name of the VTI
interface.
Enter the following command in the interface tunnel command submode:
nameif interface name
Example:
ciscoasa(config-if)#nameif vti
|
||
|
Step 3
|
Enter the IP address of the
VTI interface.
ip address IP addressmask
Example:
ciscoasa(config-if)#ip address 192.168.1.10
255.255.255.254
|
||
|
Step 4
|
Specify the tunnel source
interface.
tunnel source interface interface
name
Example:
ciscoasa(config-if)#tunnel source interface
outside
|
||
|
Step 5
|
Specify the tunnel
destination IP address.
tunnel destination IP
address
Example:
ciscoasa(config-if)#tunnel destination 10.1.1.1
|
||
|
Step 6
|
Configure the tunnel with
tunnel mode IPsec IPv4.
tunnel mode ipsec ipv4
Example:
ciscoasa(config-if)#tunnel mode ipsec ipv4
|
||
|
Step 7
|
Assign the IPsec profile to
tunnel.
tunnel protection ipsec IPsec
profile
Example:
ciscoasa(config-if)#tunnel protection ipsec
Profile1
This
new VTI can be used to create an IPsec site-to-site VPN.
|
~ End-of-Document ~
