0

Configuring IPsec VTI Site-to-Site VPN

Introduction

Short for IP Security, IPSec is an Internet Engineering Taskforce (IETF) standard suite of protocols between 2 communication points across an IP network that provides data authentication, integrity, and confidentiality. It is supported by different vendors. OpenSSL can still be preferred over IPSec.

IP security (IPsec) Virtual Tunnel Interfaces (VTIs) provide a routable interface type for terminating IPsec tunnels and an easy way to define protection between sites to form an overlay network. IPsec VTIs simplify configuration of IPsec for protection of remote links, support multicast, and simplify network management and load balancing. IPsec VTI provides an alternative to GRE tunnels.

In this lab, we are going to configure IPsec VTI Site-to-Site VPN capable of supporting the OSPF routing protocol.
The topology is as below.

A limitation of IPsec VPNs is that it only forwards unicast traffic across the VPN tunnel. Therefore, routing protocol traffic is not propagated across the VPN tunnel.

GRE over IPsec VPN could be configured to support routing protocol traffic over the IPsec VPN. However, IP VTI is simpler and more efficient than GRE over IPsec.

IPsec VTI can be configured using:

  • Static VTIs (SVTIs) – SVTI configurations can be used for site-to-site connectivity in which a tunnel provides always-on access between two sites. The advantage of using SVTIs as opposed to crypto map configurations is that users can enable dynamic routing protocols on the tunnel interface without the extra 4 bytes required for GRE headers, therefore reducing the bandwidth for sending encrypted data.
  • Dynamic VTIs (DVTIs) – DVTIs can provide highly secure and scalable connectivity for remote-access VPNs. The DVTI technology replaces dynamic crypto maps and the dynamic hub-and-spoke method for establishing tunnels.

The steps to enable IPsec VTI are very similar to GRE over IPsec except:

Step 1. The tunnel interface is configured with the tunnel mode ipsec {ipv4 | ipv6} command.

Step 2. The transform set is configured with the mode tunnel command. An ACL is not required.

Like site-to-site VPNs using crypto maps and GRE over IPsec using crypto maps, IPsec VTI also requires the following:

  • ISAKMP policy configuration and pre-shared key configured
  • Transform set configured
  • IPsec profile configured

Reference: IPSec Virtual Tunnel Interface – Cisco Systems

In this lab we are going to configure a static IPsec SVTI to provide an always on site-to-site VPN.

On the HQ Router, the configuration is as below:

hq-router(config)#crypto isakmp po
hq-router(config)#crypto isakmp policy 20
hq-router(config-isakmp)#
hq-router(config-isakmp)#enc
hq-router(config-isakmp)#encryption ae
hq-router(config-isakmp)#encryption aes 256
hq-router(config-isakmp)#has
hq-router(config-isakmp)#hash sha
hq-router(config-isakmp)#hash sha256
hq-router(config-isakmp)#authe
hq-router(config-isakmp)#authentication pres
hq-router(config-isakmp)#authentication pre
hq-router(config-isakmp)#authentication pre-share
hq-router(config-isakmp)#
hq-router(config-isakmp)#group
hq-router(config-isakmp)#group 14
hq-router(config-isakmp)#
hq-router(config-isakmp)#lifetime
hq-router(config-isakmp)#lifetime 3600
hq-router(config-isakmp)#exit
hq-router(config)#

On the Branch router, we shall do the same:

branch(config)#
branch(config)#
branch(config)#cryp
branch(config)#crypto is
branch(config)#crypto isakmp po
branch(config)#crypto isakmp policy 20
branch(config-isakmp)#enc
branch(config-isakmp)#encryption aes 256
branch(config-isakmp)#hash sha256
branch(config-isakmp)#authenticat
branch(config-isakmp)#authentication pre
branch(config-isakmp)#authentication pre-share
branch(config-isakmp)#
branch(config-isakmp)#group
branch(config-isakmp)#group 14
branch(config-isakmp)#
branch(config-isakmp)#lifetime
branch(config-isakmp)#lifetime 3600
branch(config-isakmp)#
branch(config-isakmp)#exit
branch(config)#

Next, we are going to configure the pre-shared keys on both routers.

hq-router(config)#
hq-router(config)#
hq-router(config)#cryp
hq-router(config)#crypto isa
hq-router(config)#crypto isakmp ke
hq-router(config)#crypto isakmp key admin123 add
hq-router(config)#crypto isakmp key admin123 address 200.200.200.2
hq-router(config)#
hq-router(config)#
branch(config)#
branch(config)#cry
branch(config)#crypto is
branch(config)#crypto isakmp key admin123 add
branch(config)#crypto isakmp key admin123 address  209.165.201.17
branch(config)#
branch(config)#

We will then create a new transform set using ESP AES 256 for encryption and ESP SHA256 HMAC for authentication and then set the mode to tunnel.
On the HQ router

hq-router(config)#
hq-router(config)#cryp
hq-router(config)#crypto ipsec transform-set VTI-VPN esp-aes 256 esp-sha256-hmac
hq-router(cfg-crypto-trans)#
hq-router(cfg-crypto-trans)#
hq-router(cfg-crypto-trans)#
hq-router(cfg-crypto-trans)#mode
hq-router(cfg-crypto-trans)#mode tunn
hq-router(cfg-crypto-trans)#mode tunnel
hq-router(cfg-crypto-trans)#
hq-router(cfg-crypto-trans)#exit
hq-router(config)#

On our branch router

branch(config)#cryp
branch(config)#crypto ipsec
branch(config)#crypto ipsec transform
branch(config)#crypto ipsec transform-set VTI-VPN esp
branch(config)#crypto ipsec transform-set VTI-VPN esp-aes 256 esp-sha256-hmac
branch(cfg-crypto-trans)#
branch(cfg-crypto-trans)#
branch(cfg-crypto-trans)#mode tunn
branch(cfg-crypto-trans)#mode tunnel
branch(cfg-crypto-trans)#
branch(cfg-crypto-trans)#
branch(cfg-crypto-trans)#exit
branch(config)#
branch(config)#

Next, we shall configure an IPsec profile and then set the transform set to VTI-VPN on both routers as below

hq-router(config)#cryp
hq-router(config)#crypto ipse
hq-router(config)#crypto ipsec prof
hq-router(config)#crypto ipsec profile VTI-PROFILE
hq-router(ipsec-profile)#
hq-router(ipsec-profile)#set
hq-router(ipsec-profile)#set trans
hq-router(ipsec-profile)#set transform-set VTI-VPN
hq-router(ipsec-profile)#
hq-router(ipsec-profile)#exit
hq-router(config)#
hq-router(config)#
hq-router(config)#
branch(config)#
branch(config)#crypt
branch(config)#crypto ipse
branch(config)#crypto ipsec pro
branch(config)#crypto ipsec profile VTI-PROFILE
branch(ipsec-profile)#
branch(ipsec-profile)#set trans
branch(ipsec-profile)#set transform-set VTI-VPN
branch(ipsec-profile)#
branch(ipsec-profile)#exit
branch(config)#
branch(config)#

We can then proceed to configure a tunnel interface. A tunnel interface will default to GRE but we shall set it to ipsec ipv4 mode.

hq-router(config)#
hq-router(config)#interfa
hq-router(config)#interface tunnel 0
hq-router(config-if)#
hq-router(config-if)#band
hq-router(config-if)#bandwidth
*Apr 26 14:10:40.812: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
hq-router(config-if)#bandwidth 10000
hq-router(config-if)#ip add 10.10.10.1 255.255.255.252
hq-router(config-if)#
hq-router(config-if)#ip mtu 1400
hq-router(config-if)#
hq-router(config-if)#tunne
hq-router(config-if)#tunnel sourc
hq-router(config-if)#tunnel source 209.165.201.17
hq-router(config-if)#
hq-router(config-if)#tunne
hq-router(config-if)#tunnel des
hq-router(config-if)#tunnel destination 200.200.200.2
hq-router(config-if)#
hq-router(config-if)#exit
hq-router(config)#
*Apr 26 14:12:38.780: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
hq-router(config)#
hq-router(config)#
hq-router(config)#interface tunnel 0
hq-router(config-if)#
hq-router(config-if)#
hq-router(config-if)#tun
hq-router(config-if)#tunnel mod
hq-router(config-if)#tunnel mode ip
hq-router(config-if)#tunnel mode ipsec
hq-router(config-if)#tunnel mode ipsec ipv4
hq-router(config-if)#
hq-router(config-if)#
hq-router(config-if)#
*Apr 26 14:14:13.712: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
hq-router(config-if)#

The IPsec profile must be applied as below:

hq-router(config)#int tunnel 0
hq-router(config-if)#
hq-router(config-if)#
hq-router(config-if)#
hq-router(config-if)#
hq-router(config-if)#tun
hq-router(config-if)#tunnel pro
hq-router(config-if)#tunnel protection ip
hq-router(config-if)#tunnel protection ipsec pro
hq-router(config-if)#tunnel protection ipsec profile VTI-PROFILE
hq-router(config-if)#
hq-router(config-if)#
*Apr 26 14:16:51.060: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
hq-router(config-if)#

We shall do the same on our branch router

branch(config)#int tunn
branch(config)#int tunnel 0
branch(config-if)#
branch(config-if)#band
branch(config-if)#bandwidth 10
*Apr 26 14:17:46.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down000
branch(config-if)#
branch(config-if)#bandwidth 10000
branch(config-if)#
branch(config-if)#ip add 10.10.10.2 255.255.255.252
branch(config-if)#
branch(config-if)#ip mtu 1400
branch(config-if)#tunn
branch(config-if)#tunnel sourc
branch(config-if)#tunnel source 200.200.200.2
branch(config-if)#tun
branch(config-if)#tunnel des
branch(config-if)#tunnel destination 209.165.201.17
branch(config-if)#
branch(config-if)#
*Apr 26 14:18:42.982: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
branch(config-if)#
branch(config-if)#tun
branch(config-if)#tunnel mo
branch(config-if)#tunnel mode ipsec
branch(config-if)#tunnel mode ipsec ip
branch(config-if)#tunnel mode ipsec ipv4
branch(config-if)#
branch(config-if)#tun
*Apr 26 14:19:04.124: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
branch(config-if)#tunnel pro
branch(config-if)#tunnel protection ip
branch(config-if)#tunnel protection ipsec pro
branch(config-if)#tunnel protection ipsec profile VTI-PROFILE
branch(config-if)#
branch(config-if)#
*Apr 26 14:19:17.410: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 26 14:19:17.569: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

We shall then configure OSPF to advertise the tunnel interface.

hq-router(config)#router
hq-router(config)#router osp
hq-router(config)#router ospf 1
hq-router(config-router)#
hq-router(config-router)#net
hq-router(config-router)#network 10.10.10.0 0.0.0.3 ar
hq-router(config-router)#network 10.10.10.0 0.0.0.3 area 0
hq-router(config-router)#
hq-router(config-router)#exit
hq-router(config)#
branch(config)#router
branch(config)#router osp
branch(config)#router ospf 1
branch(config-router)#
branch(config-router)#
branch(config-router)#
branch(config-router)#net
branch(config-router)#network 10.10.10.0 0.0.0.3 ar
branch(config-router)#network 10.10.10.0 0.0.0.3 area 0
branch(config-router)#
branch(config-router)#
branch(config-router)#ex
*Apr 26 14:21:20.199: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Tunnel0 from LOADING to FULL, Loading Doneit
branch(config)#

Notice we have an adjacency on Tunnel0 interface we can then proceed to verify our configurations:

hq-router#show int tunn
hq-router#show int tunnel 0
Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 10.10.10.1/30
  MTU 17878 bytes, BW 10000 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 209.165.201.17, destination 200.200.200.2
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1438 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "VTI-PROFILE")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:12:05
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     16 packets input, 1548 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     22 packets output, 2008 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
hq-router#

You can notice that we have Tunnel protocol/transport IPSEC/IP from the output.
We can also verify the crypto settings

hq-router#show cr
hq-router#show cry
hq-router#show crypto se
hq-router#show crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 200.200.200.2 port 500
  Session ID: 0
  IKEv1 SA: local 209.165.201.17/500 remote 200.200.200.2/500 Active
  Session ID: 0
  IKEv1 SA: local 209.165.201.17/500 remote 200.200.200.2/500 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 4, origin: crypto map

hq-router#

We can now test the IPsec VTI Tunnel from the two PCs
HQ-PC

As you can see, the path taken from the HQ pc to the branch pc is through the VPN tunnel interface.

That’s it. I hope you enjoyed and learned to configure IPsec VTI Site-to-Site VPN

bl4ckwidow

Co-Founder of Labing Overload. I am a Web Developer/Network Engineer turned CyberSecurity Engineer. FOSS enthusiast. Cisco Technologies enthusiast. Network Penetration Tester.

Leave a Reply

Your email address will not be published. Required fields are marked *