VTI over ipsec configuration on cisco router for Site-to-Site VPN

VTI over IPSsec allows for a simplified implementation of site-to-site VPN on Cisco routers. The solution allows network engineers to leverage on internet connectivity to establish a secure communication path between two locations that can be continents apart.

While there are many ways to implement secure site-to-site VPN on Cisco routers, VTI over IPSec reduces the complexity of the configuration and ensures that data integrity is not compromised. Unlike GRE tunneling, VTI over IPSec encapsulates IPv4 or IPv6 traffic without the need for an additional GRE header. The configuration is straight forward and does not involve the creation of access control list or crypto-maps.

You may also like: Implementing full mesh DMVPN with Ipsec

The simple diagram below represents my network and the goal is to provide connectivity between the two local area networks attached to router2 and router3. Communication between these two networks should be secure.

vti over ipsec

The cloud router has been configured with IP addresses on the two interfaces connecting to router2 and router3, ospf has also been configured to provide reachability between WAN IPs of router2 and router3. Let’s setup VTI over IPsec on router2 and router3.

Configuration on Router2

int f0/0
ip add 192.168.1.2 255.255.255.252
no shut
int l0
ip add 192.168.10.1 255.255.255.0
exit
router ospf 1
passive-interface default
no passive-interface f0/0
netw 192.168.1.0 0.0.0.3

Configure IPSec

crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
exit
crypto isakmp key 0 cisco123 address 192.168.2.2
crypto ipsec transform-set VPN_SET esp-aes esp-sha-hmac
mode tunnel
exit
crypto ipsec profile VPN_PROFILE
set transform-set VPN_SET

Configure tunnel interface and add IPsec profile

int tun 0
ip add 192.168.3.1 255.255.255.252
ip mtu 1400
tun mode ipsec ipv4
tun protection ipsec profile VPN_PROFILE
tun source f0/0
tun destination 192.168.2.2

Establish eigrp neighborship over tunnel interface

router eigrp 10
netw 192.168.3.0
netw 192.168.10.0
no auto

Configuration on Router3

int f0/0
ip add 192.168.2.2 255.255.255.252
no shut
int l0
ip add 192.168.20.1 255.255.255.0
exit
router ospf 1
passive-interface default
no passive-interface f0/0
netw 192.168.2.0 0.0.0.3

IPSec configuration

crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
exit
crypto isakmp key 0 cisco123 address 192.168.1.2
crypto ipsec transform-set VPN_SET esp-aes esp-sha-hmac
mode tunnel
exit
crypto ipsec profile VPN_PROFILE
set transform-set VPN_SET

Tunnel interface configuration

int tun 0
ip add 192.168.3.2 255.255.255.252
ip mtu 1400
tun mode ipsec ipv4
tun protection ipsec profile VPN_PROFILE
tun source f0/0
tun destination 192.168.1.2

EIGRP configuration

router eigrp 10
netw 192.168.3.0
netw 192.168.20.0
no auto

LAN-to-LAN connectivity test

vti over ipsec

If you enjoyed this tutorial, please subscribe to this blog to receive my posts via email. Also subscibe to my YouTube channel, like my Facebook page and follow me on Twitter

Spread the love

Leave a Comment