Cisco - Configuring Cisco Easy VPN With IPSec Dynamic Virtual Tunnel Interface (DVTI)
Cisco - Configuring Cisco Easy VPN With IPSec Dynamic Virtual Tunnel Interface (DVTI)
Cisco - Configuring Cisco Easy VPN With IPSec Dynamic Virtual Tunnel Interface (DVTI)
White Paper
With IPSec DVTIs and Cisco Easy VPN, users can provide highly secure connectivity for remote-access VPNs that
can be combined with Cisco AVVID (Architecture for Voice, Video and Integrated Data) to deliver converged voice,
video, and data over IP networks.
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 14
White Paper
Benefits
● Simplifies Management: Customers can use the Cisco IOS virtual template to clone, on demand, new virtual
access interfaces for IPSec, thus simplifying VPN configuration complexity, which translates into reduced
costs. In addition, existing management applications now can monitor separate interfaces for different sites
for monitoring purposes.
● Provides a Routable Interface: Cisco IPSec VTIs can support all types of IP routing protocols. Customers
can use these capabilities to connect larger office environments, such as branch offices.
● Improves Scaling: IPSec VTIs use single security associations per site, which cover different types of traffic,
enabling improved scaling.
● Offers Flexibility in Defining Features: An IPSec VTI is an encapsulation within its own interface. This
offers flexibility of defining features for clear-text traffic on IPSec VTIs, and defining features for encrypted
traffic on physical interfaces.
Configuration Summary
The Cisco Easy VPN with DVTI configuration provides a routable interface to selectively send traffic to different
destinations, such as an Easy VPN concentrator, a different site-to-site peer, or the Internet. IPSec DVTI
configuration does not require a static mapping of IPSec sessions to a physical interface. This allows for the flexibility
of sending and receiving encrypted traffic on any physical interface, such as in the case of multiple paths. Traffic is
encrypted when it is forwarded from or to the tunnel interface.
The traffic is forwarded to or from the tunnel interface by virtue of the IP routing table. Routes are dynamically
learned during Internet Key Exchange (IKE) Mode Configuration and inserted into the routing table pointing to the
DVTI. Dynamic IP routing can be used to propagate routes across the VPN. Using IP routing to forward the traffic to
encryption simplifies the IPSec VPN configuration when compared with using ACLs with the crypto map in native
IPSec configuration.
Before Cisco IOS Release 12.4(2)T, at the tunnel-up/tunnel-down transition, attributes that were pushed during the
mode configuration had to be parsed and applied. When such attributes resulted in the configurations being applied
on the interface, the existing configuration had to be overridden. With the Dynamic Virtual Tunnel Interface Support
feature, the tunnel-up configuration can be applied to separate interfaces, making it easier to support separate
features at tunnel-up time. Features that are applied to the traffic (before encryption) going into the tunnel can be
separate from the features that are applied to traffic that is not going through the tunnel (for example, split-tunnel
traffic and traffic leaving the device when the tunnel is not up).
When the Easy VPN negotiation is successful, the line protocol state of the virtual access interface gets changed to
up. When the Easy VPN tunnel goes down because the security association expires or is deleted, the line protocol
state of the virtual access interface changes to down.
The routing tables act as traffic selectors in an Easy VPN virtual interface configuration—that is, the routes replace
the access list on the crypto map. In a virtual interface configuration, Easy VPN negotiates a single IPSec security
association if the Easy VPN Server has been configured with an IPSec DVTI. This single security association is
created regardless of the Easy VPN mode that is configured.
After the security association is established, routes that point to the virtual access interface are added to direct traffic
to the corporate network. Easy VPN also adds a route to the VPN concentrator so that IPSec-encapsulated packets
get routed to the corporate network. A default route that points to the virtual access interface is added in the case of
a nonsplit mode. When the Easy VPN server “pushes” the split tunnel, the split tunnel subnet becomes the
destination to which the routes that point to the virtual access are added. In either case, if the peer (VPN
concentrator) is not directly connected, Easy VPN adds a route to the peer.
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 14
White Paper
Note: Most routers that run the Cisco Easy VPN Client software have a default route configured. The default route
that is configured must have a metric value greater than 1—Easy VPN adds a default route that has a metric value of
1. The route points to the virtual access interface so that all traffic is directed to the corporate network when the
concentrator does not “push” the split tunnel attribute.
QoS can be used to improve the performance of different applications across the network. In this configuration,
traffic shaping is used between the two sites to limit the total amount of traffic that should be transmitted between the
sites. Additionally, the QoS configuration can support any combination of QoS features offered in Cisco IOS
Software, to support any of the voice, video, or data applications.
A link to more information about IPSec DVTI is provided in the Related Information section of this document.
Note: The QoS configuration in this guide is for demonstration only. It is expected that the VTI scalability results
will be similar to the p2p GRE over IPsec. For scaling and performance considerations please contact your Cisco
representative. for additional information, check the Virtual Tunnel Interface (VTI) Design guide:
http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Produ
cts_White_Paper.html
Limitations
This guide provides a sample of Easy VPN configuration with DVTI configuration only. It does not cover the following
configurations:
● Full security audit on the router. It is recommended that users run a Cisco Router and Security Device
Manager (SDM) security audit in Wizard Mode to lock down and secure the router.
● An initial router configuration step is not shown in the steps. The full configuration is shown in the following
section.
● This configuration guide enables split tunneling. The split tunneling is enabled on the hub by the ACL 101
command under the crypto isakmp client configuration mode. To disable the split tunneling on the remote,
remove the ACL command from the Easy VPN Server. The spoke is configured with Port Address Translation
(PAT) to provide connectivity over the Internet.
● This configuration uses User Extension Mode. For details on configuring this mode, please review Cisco Easy
VPN Remote or Server documentations.
● This configuration does not include multicast.
Restrictions
DVTI is only supported in the context of Enhanced Easy VPN. Routing with DVTIs is not supported or recommended.
A DVTI interface on the headend router cannot terminate on an SVTI interface on the remote peer. An SVTI interface
can only terminate on another SVTI interface.
Components Used
The sample configuration uses the following releases of the software and hardware:
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 14
White Paper
The information presented in this document was created from devices in a specific lab environment. All of the
devices started with a cleared (default) configuration. If you are working in a live network, it is imperative to
understand the potential impact of any command before implementing it.
Router Configuration
version 12.4
hostname c3725-21
aaa new-model
resource policy
ip subnet-zero
ip cef
policy-map FOO
class class-default
encr 3des
authentication pre-share
group 2
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 14
White Paper
key cisco
dns 6.0.0.2
wins 7.0.0.1
domain cisco.com
pool dpool
acl 101
virtual-template 1
set isakmp-profile vi
interface FastEthernet0/0
duplex auto
speed auto
interface FastEthernet0/1
duplex auto
speed 100
ip unnumbered FastEthernet0/0
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 14
White Paper
router eigrp 1
network 192.168.1.0
network 192.168.20.0
no auto-summary
ip classless
control-plane
end
version 12.3
hostname c1751-16
no aaa new-model
ip subnet-zero
ip cef
encr 3des
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 14
White Paper
authentication pre-share
group 2
connect manual
local-address FastEthernet0/0
mode client
peer 10.0.149.221
interface Loopback0
interface Ethernet0/0
half-duplex
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$
ip address dhcp
speed 100
full-duplex
ip classless
end
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 14
White Paper
Interface: Virtual-Access4
Phase1_id: cisco
Desc: (none)
Interface: Virtual-Access2
Phase1_id: cisco
Desc: (none)
c3725-21#show ip route
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 14
White Paper
Encapsulation TUNNEL
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 14
White Paper
Virtual-Access2
Match: any
Traffic Shaping
- 0 15 1500 0 0 no
c831-27#
o Server_public_addr=10.0.149.221 Assigned_client_addr=5.0.0.3
changed state to up
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 10 of 14
White Paper
c831-27#ping 192.168.20.21
!!!!!
Interface: Ethernet1
Phase1_id: 10.0.149.221
Desc: (none)
c831-27#show ip route
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 14
White Paper
Encapsulation TUNNEL
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 12 of 14
White Paper
Virtual-Access2
Match: any
Traffic Shaping
- 0 2140 214000 0 0 no
Outside interfaces:
Ethernet1, Virtual-Access2
Inside interfaces:
Ethernet0, Virtual-Template1
Expired translations: 28
Dynamic mappings:
-- Inside Source
Queued Packets: 0
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 13 of 14
White Paper
Related Information
● IPSec Support Page
● Cisco Easy VPN Remote
● Easy VPN Server
● IPSec Virtual Tunnel Interface
● Configuring IPSec Network Security
● Configuring Internet Key Exchange Security Protocol
● Command Lookup Tool (registered customers only)
● Technical Support—Cisco Systems
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 14 of 14