This post covers how to configure VTI tunnels with IKEv2 and IPsec on Cisco IOS routers.
A Virtual Tunnel Interface (VTI) is a logical interface that poses as an alternative to policy-based VPNs. VTI support on Cisco routers provides the capability of creating route-based IPsec VPNs that support dynamic or static routing as required by many Virtual Private Clouds.
The following diagram displays the topology to configure.
The next sections will give you the configuration commands needed to configure IKEv2, IPsec, and a VTI tunnel under the global and a user-created VRF.
Configure IKEv2
Here are the configuration commands to configure IKEv2 on a Cisco IOS router.
Needless to say, use the same and most secure encryption and hashing protocols on both ends of the tunnel.
To configure IKEv2, you have to configure a:
- Proposal
- Policy
- Keyring (pre-shared key)
- Profile
Here’s Router 1’s IKEv2 CLI commands.
## IKEv2 Proposal
crypto ikev2 proposal IKEv2_PROPOSAL_1
encryption des
integrity md5
group 5
exit
## IKEv2 Policy for Global VRF
crypto ikev2 policy IKEv2_POLICY_1
proposal IKEv2_PROPOSAL_1
exit
## IKEv2 Policy for VRF ISP2
crypto ikev2 policy IKEv2_POLICY_2
match fvrf ISP2
proposal IKEv2_PROPOSAL_1
exit
## IKEv2 Keyring (pre-shared keys)
crypto ikev2 keyring KEYRING
peer R2_GLOBAL_VRF
description R2 OVER ISP1
address 10.0.12.1 255.255.255.255
pre-shared-key ciscoISP1
exit
peer R2_ISP2_VRF
description R2 OVER ISP2
address 10.0.22.1 255.255.255.255
pre-shared-key ciscoISP2
exit
exit
## IKEv2 Profile for Global VRF
crypto ikev2 profile IKEv2_PROFILE_1
description IKEv2 PROFILE for R2 OVER ISP1
match identity remote address 10.0.12.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
exit
## IKEv2 Profile for VRF ISP2
crypto ikev2 profile IKEv2_PROFILE_2
description IKEv2 PROFILE for R2 OVER ISP2
match fvrf ISP2
match identity remote address 10.0.22.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
exit
Here’s Router 2’s IKEv2 configuration commands.
## IKEv2 Proposal
crypto ikev2 proposal IKEv2_PROPOSAL_1
encryption des
integrity md5
group 5
exit
## IKEv2 Policy for Global VRF
crypto ikev2 policy IKEv2_POLICY_1
proposal IKEv2_PROPOSAL_1
exit
## IKEv2 Policy for VRF ISP2
crypto ikev2 policy IKEv2_POLICY_2
match fvrf ISP2
proposal IKEv2_PROPOSAL_1
exit
## IKEv2 Keyring (pre-shared keys)
crypto ikev2 keyring KEYRING
peer R2_GLOBAL_VRF
description R1 OVER ISP1
address 10.0.11.1 255.255.255.255
pre-shared-key ciscoISP1
exit
peer R2_ISP2_VRF
description R1 OVER ISP2
address 10.0.21.1 255.255.255.255
pre-shared-key ciscoISP2
exit
exit
## IKEv2 Profile for Global VRF
crypto ikev2 profile IKEv2_PROFILE_1
description IKEv2 PROFILE for R1 OVER ISP1
match identity remote address 10.0.11.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
exit
## IKEv2 Profile for VRF ISP2
crypto ikev2 profile IKEv2_PROFILE_2
description IKEv2 PROFILE for R1 OVER VRF ISP2
match fvrf ISP2
match identity remote address 10.0.21.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
exit
Verification
Verify configured IKEv2 proposals.
R1#show crypto ikev2 proposal
IKEv2 proposal: IKEv2_PROPOSAL_DES_MD5_DHG5
Encryption : DES
Integrity : MD596
PRF : MD5
DH Group : DH_GROUP_1536_MODP/Group 5
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
R1#
Verify configured IKEv2 policies. Notice the VRF references.
R1#show crypto ikev2 policy
IKEv2 policy : IKEv2_POLICY_1
Match fvrf : global
Match address local : any
Proposal : IKEv2_PROPOSAL_DES_MD5_DHG5
IKEv2 policy : IKEv2_POLICY_2
Match fvrf : ISP2
Match address local : any
Proposal : IKEv2_PROPOSAL_DES_MD5_DHG5
IKEv2 policy : default
Match fvrf : any
Match address local : any
Proposal : default
R1#
Verify configured pre-shared keys.
R1#show runn | sec crypto ikev2 keyring
crypto ikev2 keyring KEYRING
peer R2_GLOBAL_VRF
description R2 OVER ISP1
address 10.0.12.1
pre-shared-key ciscoISP1
!
peer R2_ISP2_VRF
description R2 OVER ISP2
address 10.0.22.1
pre-shared-key ciscoISP2
!
R1#
Verify configured IKEv2 profiles.
R1#show crypto ikev2 profile
IKEv2 profile: IKEv2_PROFILE_1
Ref Count: 5
Description: IKEv2 PROFILE for R2 OVER ISP1
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 10.0.12.1 255.255.255.255
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
mode auto: none
AAA AnyConnect EAP authentication mlist: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
IKEv2 profile: IKEv2_PROFILE_2
Ref Count: 5
Description: IKEv2 PROFILE for R2 OVER VRF ISP2
Match criteria:
Fvrf: ISP2
Local address/interface: none
Identities:
address 10.0.22.1 255.255.255.255
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
mode auto: none
AAA AnyConnect EAP authentication mlist: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
R1#show crypto ikev2 profile ?
WORD profile name
| Output modifiers
<cr> <cr>
R1#
Now that Phase 1’s IKEv2 is configured on both Cisco routers, let’s jump on the configuration of Phase 2.
Configure IPsec
This section provides the CLI commands to configure IPsec on a Cisco IOS router.
To configure Phase 2, you have to create an:
- IPsec transform set (to specify the encryption and authentication algorithms to protect user traffic through the tunnel)
- IPsec profile (to bring together IKEv2 and IPsec settings)
## IPsec Transform set for Phase 2
crypto ipsec transform-set TRANSFORM_AES_MD5 esp-aes esp-md5-hmac
mode transport
exit
## IPsec Profile to use under Global VRF
crypto ipsec profile IPSEC_PROFILE_1
set transform-set TRANSFORM_AES_MD5
set ikev2-profile IKEv2_PROFILE_1
exit
## IPsec Profile to use under VRF ISP2
crypto ipsec profile IPSEC_PROFILE_2
set transform-set TRANSFORM_AES_MD5
set ikev2-profile IKEv2_PROFILE_2
exit
Verification
Verify configured IPsec transform sets.
R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set TRANSFORM_AES_MD5: { esp-aes esp-md5-hmac }
will negotiate = { Transport, },
R1#
Verify configured IPsec profiles and their associated transform sets.
R1#show crypto ipsec profile
IPSEC profile IPSEC_PROFILE_1
IKEv2 Profile: IKEv2_PROFILE_1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
TRANSFORM_AES_MD5: { esp-aes esp-md5-hmac } ,
}
IPSEC profile IPSEC_PROFILE_2
IKEv2 Profile: IKEv2_PROFILE_2
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
TRANSFORM_AES_MD5: { esp-aes esp-md5-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
R1#
Configure VTI Tunnels
This section provides the configuration commands to set up an IPsec-protected VTI tunnel under the global VRF and a user-created VRF (i.e. ISP2).
Create VTI tunnels on Router 1. Notice that you are attaching an IPsec profile to each tunnel to protect the VTI tunnel.
interface tunnel 1
description VTI TUNNEL OVER GLOBAL VRF
ip address 172.16.1.1 255.255.255.252
tunnel source gig0/1
tunnel destination 10.0.12.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE_1
exit
interface tunnel 2
description VTI TUNNEL OVER ISP2 VRF
ip address 172.16.2.1 255.255.255.252
tunnel vrf ISP2
tunnel source g0/2
tunnel destination 10.0.22.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE_2
exit
Now create VTI tunnel on Router 2.
interface tunnel 1
description VTI TUNNEL OVER GLOBAL VRF
ip address 172.16.1.2 255.255.255.252
tunnel source gig0/1
tunnel destination 10.0.11.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE_1
exit
interface tunnel 2
description VTI TUNNEL OVER ISP2 VRF
ip address 172.16.2.2 255.255.255.252
tunnel vrf ISP2
tunnel source g0/2
tunnel destination 10.0.21.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE_2
exit
The virtual interfaces tunnel 1 and 2 belong to the global VRF; however, the tunnel vrf ISP2 command under interface tunnel 2 says that tunnel source interface g0/2 will be found under the ISP2 VRF and not the global VRF.
If you establish a BGP peering, for instance, using the virtual tunnel interfaces, any routes received from the peer will be placed on the global VRF table because the tunnel interface 2 belongs to the global VRF. The ISP2 VRF is used only for transport (g0/2’s IP address makes up the outer IP header) across the Internet through ISP2.
Verification
When the remote end is not up, you will see the virtual interfaces in an up-down state.
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/1 10.0.11.1 YES NVRAM up up
GigabitEthernet0/2 10.0.21.1 YES NVRAM up up
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
Loopback0 1.1.1.1 YES NVRAM up up
NVI0 10.0.11.1 YES unset up up
Tunnel1 172.16.1.1 YES manual up down
Tunnel2 172.16.2.1 YES manual up down
R1#
As soon as the remote end is configured, the VTI interfaces come up.
R1#
*Feb 23 22:42:19.328: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
*Feb 23 22:42:19.349: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up
R1#show ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/1 10.0.11.1 YES NVRAM up up
GigabitEthernet0/2 10.0.21.1 YES NVRAM up up
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
Loopback0 1.1.1.1 YES NVRAM up up
NVI0 10.0.11.1 YES unset up up
Tunnel1 172.16.1.1 YES manual up up
Tunnel2 172.16.2.1 YES manual up up
R1#
Verify that Phase 1 was established successfully.
R1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.11.1/500 10.0.12.1/500 none/none READY
Encr: DES, PRF: MD5, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/75 sec
Tunnel-id Local Remote fvrf/ivrf Status
4 10.0.21.1/500 10.0.22.1/500 ISP2/none READY
Encr: DES, PRF: MD5, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/100 sec
IPv6 Crypto IKEv2 SA
R1#
Verify that Phase 2 was established successfully. Notice that there are packets encrypted and decrypted and that the status is active for each security association.
R1#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 10.0.11.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.0.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.11.1, remote crypto endpt.: 10.0.12.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0xBC2D1538(3157071160)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x59799CE9(1501142249)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: SW:10, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4192919/3546)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBC2D1538(3157071160)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: SW:9, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4192919/3546)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 10.0.21.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.0.22.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.21.1, remote crypto endpt.: 10.0.22.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2
current outbound spi: 0xC50F318D(3306107277)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x64B92B09(1689856777)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4163459/257)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC50F318D(3306107277)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4163459/257)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R1#
Preconfiguration
Prior to configuring VTI tunnels, you have to make sure that your router’s interfaces are configured, and you have IP reachability to the remote end with which you are establishing the VTI tunnel.
Configure R1 Interfaces
Configure R1’s ISP1-facing interface.
int g0/1
description ISP1
ip address 10.0.11.1 255.255.255.252
no ip unreachable
no ip proxy-arp
no ip redirect
no shut
exit
ip route 0.0.0.0 0.0.0.0 10.0.11.2
Configure R1’s ISP2-facing interface under a new VRF name ISP2.
ip vrf ISP2
rd 2:2
exit
int g0/2
description ISP2
ip vrf forwarding ISP2
ip address 10.0.21.1 255.255.255.252
no ip unreachable
no ip proxy-arp
no ip redirect
no shut
exit
ip route vrf ISP2 0.0.0.0 0.0.0.0 10.0.21.2
Configure R2 Interfaces
Configure R2’s ISP1-facing interface.
int g0/1
description ISP1
ip address 10.0.12.1 255.255.255.252
no ip unreachable
no ip proxy-arp
no ip redirect
no shut
exit
ip route 0.0.0.0 0.0.0.0 10.0.12.2
Configure R2’s ISP2-facing interface under a new VRF named ISP2.
ip vrf ISP2
rd 2:2
exit
int g0/2
description ISP2
ip vrf forwarding ISP2
ip address 10.0.22.1 255.255.255.252
no ip unreachable
no ip proxy-arp
no ip redirect
no shut
exit
ip route vrf ISP2 0.0.0.0 0.0.0.0 10.0.22.2
Make sure you have IP reachability with the remote end by pinging it successfully.
R1#
*Feb 22 12:30:18.538: %SYS-5-CONFIG_I: Configured from console by console
R1#ping 10.0.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms
R1#ping vrf ISP2 10.0.22.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.22.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms
R1#
R2#
R2#ping 10.0.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.11.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms
R2#
R2#
R2#ping vrf ISP2 10.0.21.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.21.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R2#
Closing
This post provided a sample of the CLI configuration to configure VTI tunnels with IKEv2 and IPsec on Cisco IOS routers.
VTI tunnels are route-based VPNs that allow running dynamic and static routing protocols over them. They’re very common when establishing connectivity with cloud providers such as Google GCP and Azure.
I hope this post was informative for you. Please, leave comments and/or questions below.
