Scenario:
Branches with Static VTI
Hud with Dynamic VTI, Plus:
- ISAKMP Profile
- Key Ring with PSKs
- Virtual Template
DVTIs can provide highly secure and scalable connectivity for remote-access VPNs. The DVTI technology replaces dynamic crypto maps and the dynamic hub-and-spoke method for establishing tunnels.
DVTIs can be used for both the server and the remote configuration. The tunnels provide an on-demand separate virtual access interface for each VPN session. The configuration of the virtual access interfaces is cloned from a virtual template configuration, which includes the IPsec configuration and any Cisco IOS software feature configured on the virtual template interface, such as QoS, NetFlow, or ACLs. Read more
! Note: If we use Dynamic VTI on Hub device, we do not need to create tunnel interface for each connections manually.Configure R1:
R1-Hub(config)#crypto isakmp policy 1
R1-Hub(config-isakmp)#encryption aes 192
R1-Hub(config-isakmp)#authentication pre-share
R1-Hub(config-isakmp)#group 5
R1-Hub(config-isakmp)#exit
R1-Hub(config)#crypto keyring OUR-PSKs
R1-Hub(conf-keyring)#pre-shared-key address 0.0.0.0 key cisco123
R1-Hub(conf-keyring)#exit
R1-Hub(config)#crypto ipsec transform-set OUR-SET esp-aes 128 esp-md5-hmac
R1-Hub(cfg-crypto-trans)#exit
R1-Hub(config)#crypto ipsec profile OUR-IPsec-PROFILE
R1-Hub(ipsec-profile)#set transform-set OUR-SET
R1-Hub(ipsec-profile)#exit
R1-Hub(config)#in lo 9
R1-Hub(config-if)#ip address 1.1.1.1 255.255.255.255
R1-Hub(config-if)#exit
R1-Hub(config)#interface virtual-Template 1 type tunnel
R1-Hub(config-if)#ip unnumbered loopback 9
R1-Hub(config-if)#tunnel mode ipsec ipv4
R1-Hub(config-if)#tunnel protection ipsec profile OUR-IPsec-PROFILE
R1-Hub(config-if)#exit
R1-Hub(config)#crypto isakmp profile OUR-IKE-PROFILE
R1-Hub(conf-isa-prof)#match identity address 0.0.0.0
R1-Hub(conf-isa-prof)#virtual-template 1
R1-Hub(conf-isa-prof)#keyring OUR-PSKs
R1-Hub(conf-isa-prof)#exit
R1-Hub(config)#router eigrp 1
R1-Hub(config-router)#no auto-summary
R1-Hub(config-router)#network 1.1.1.1 0.0.0.0
R1-Hub(config-router)#network 10.1.1.1 0.0.0.0
R1-Hub(config-router)#exit
Configure R2:
R2-Spoke(config)#crypto isakmp policy 1
R2-Spoke(config-isakmp)#encryption aes 192
R2-Spoke(config-isakmp)#authentication pre-share
R2-Spoke(config-isakmp)#group 5
R2-Spoke(config-isakmp)#exit
R2-Spoke(config)#crypto isakmp key cisco123 address 15.0.0.1 255.255.255.255
R2-Spoke(config)#crypto ipsec transform-set OUR-SET esp-aes 128 esp-md5-hmac
R2-Spoke(cfg-crypto-trans)#exit
R2-Spoke(config)#crypto ipsec profile OUR-IPsec-PROFILE
R2-Spoke(ipsec-profile)#set transform-set OUR-SET
R2-Spoke(ipsec-profile)#exit
R2-Spoke(config)#interface loopback 9
R2-Spoke(config-if)#ip address 2.2.2.2 255.255.255.255
R2-Spoke(config-if)#exit
R2-Spoke(config)#interface tunnel 2
R2-Spoke(config-if)#tunnel mode ipsec ipv4
R2-Spoke(config-if)#ip unnumbered loopback 9
R2-Spoke(config-if)#tunnel source serial 1/0
R2-Spoke(config-if)#tunnel destination 15.0.0.1
R2-Spoke(config-if)#tunnel protection ipsec profile OUR-IPsec-PROFILE
R2-Spoke(config)#router eigrp 1
R2-Spoke(config-router)#no auto-summary
R2-Spoke(config-router)#network 10.2.2.2 0.0.0.0
R2-Spoke(config-router)#network 2.2.2.2 0.0.0.0
Configure R3:
R3-Spoke(config)#crypto isakmp policy 1
R3-Spoke(config-isakmp)#encryption aes 192
R3-Spoke(config-isakmp)#authentication pre-share
R3-Spoke(config-isakmp)#group 5
R3-Spoke(config-isakmp)#exit
R3-Spoke(config)#crypto isakmp key cisco123 address 15.0.0.1 255.255.255.255
R3-Spoke(config)#crypto ipsec transform-set OUR-SET esp-aes 128 esp-md5-hmac
R3-Spoke(cfg-crypto-trans)#exit
R3-Spoke(config)#crypto ipsec profile OUR-IPsec-PROFILE
R3-Spoke(ipsec-profile)#set transform-set OUR-SET
R3-Spoke(ipsec-profile)#exit
R3-Spoke(config)#interface loopback 9
R3-Spoke(config-if)#ip address 3.3.3.3 255.255.255.255
R3-Spoke(config-if)#exit
R3-Spoke(config)#interface tunnel 3
R3-Spoke(config-if)#tunnel mode ipsec ipv4
R3-Spoke(config-if)#ip unnumbered loopback 9
R3-Spoke(config-if)#tunnel source serial 1/0
R3-Spoke(config-if)#tunnel destination 15.0.0.1
R3-Spoke(config-if)#tunnel protection ipsec profile OUR-IPsec-PROFILE
R3-Spoke(config)#router eigrp 1
R3-Spoke(config-router)#no auto-summary
R3-Spoke(config-router)#network 10.3.3.3 0.0.0.0
R3-Spoke(config-router)#network 3.3.3.3 0.0.0.0
Configure R4:
R4-Spoke(config)#crypto isakmp policy 1
R4-Spoke(config-isakmp)#encryption aes 192
R4-Spoke(config-isakmp)#authentication pre-share
R4-Spoke(config-isakmp)#group 5
R4-Spoke(config-isakmp)#exit
R4-Spoke(config)#crypto isakmp key cisco123 address 15.0.0.1 255.255.255.255
R2-Spoke(config)#crypto ipsec transform-set OUR-SET esp-aes 128 esp-md5-hmac
R4-Spoke(cfg-crypto-trans)#exit
R4-Spoke(config)#crypto ipsec profile OUR-IPsec-PROFILE
R4-Spoke(ipsec-profile)#set transform-set OUR-SET
R4-Spoke(ipsec-profile)#exit
R4-Spoke(config)#interface loopback 9
R4-Spoke(config-if)#ip address 4.4.4.4 255.255.255.255
R4-Spoke(config-if)#exit
R4-Spoke(config)#interface tunnel 4
R4-Spoke(config-if)#tunnel mode ipsec ipv4
R4-Spoke(config-if)#ip unnumbered loopback 9
R4-Spoke(config-if)#tunnel source serial 1/0
R4-Spoke(config-if)#tunnel destination 15.0.0.1
R4-Spoke(config-if)#tunnel protection ipsec profile OUR-IPsec-PROFILE
R4-Spoke(config)#router eigrp 1
R4-Spoke(config-router)#no auto-summary
R4-Spoke(config-router)#network 10.4.4.4 0.0.0.0
R4-Spoke(config-router)#network 4.4.4.4 0.0.0.0
! Verify Configuration
R1-Hub#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
15.0.0.1 25.0.0.2 QM_IDLE 1006 ACTIVE
15.0.0.1 35.0.0.3 QM_IDLE 1007 ACTIVE
15.0.0.1 45.0.0.4 QM_IDLE 1008 ACTIVE
R1-Hub#show ip interface brief | exclude unassigned
Interface IP-Address OK? Method Status Protocol
Serial1/0 15.0.0.1 YES NVRAM up up
Loopback0 10.1.1.1 YES NVRAM up up
Loopback9 1.1.1.1 YES manual up up
Virtual-Access2 1.1.1.1 YES unset up up
Virtual-Access3 1.1.1.1 YES unset up up
Virtual-Access4 1.1.1.1 YES unset up up
Virtual-Template1 1.1.1.1 YES unset up down
R1-Hub#show ip interface Virtual-Access2
Virtual-Access2 is up, line protocol is up
Interface is unnumbered. Using address of Loopback9 (1.1.1.1)
Broadcast address is 255.255.255.255
MTU is 1438 bytes
R1-Hub#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
7 IPsec AES+MD5 0 184 184 15.0.0.1
8 IPsec AES+MD5 184 0 0 15.0.0.1
9 IPsec AES+MD5 0 83 83 15.0.0.1
10 IPsec AES+MD5 83 0 0 15.0.0.1
11 IPsec AES+MD5 0 66 66 15.0.0.1
12 IPsec AES+MD5 64 0 0 15.0.0.1
1006 IKE SHA+AES192 0 0 0 15.0.0.1
1007 IKE SHA+AES192 0 0 0 15.0.0.1
1008 IKE SHA+AES192 0 0 0 15.0.0.1
R2-Spoke#show ip route eigrp | in 10.
D 10.1.1.0/24 [90/27008000] via 1.1.1.1, 00:14:34, Tunnel2
D 10.3.3.0/24 [90/28288000] via 1.1.1.1, 00:06:48, Tunnel2
D 10.4.4.0/24 [90/28288000] via 1.1.1.1, 00:05:40, Tunnel2
R2-Spoke#ping 10.3.3.3 source 10.2.2.2
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
!!!!! Success rate is 100 percent (5/5)
R2-Spoke#traceroute 10.3.3.3 source 10.2.2.2
Tracing the route to 10.3.3.3
1 1.1.1.1 76 msec 80 msec 84 msec
2 3.3.3.3 112 msec 104 msec 72 msec
