Virtual Tunnel Interface

This chapter describes how to configure a VTI tunnel.

About Virtual Tunnel Interfaces

The ASA supports a logical interface called Virtual Tunnel Interface (VTI). As an alternative to policy based VPN, a VPN tunnel can be created between peers with Virtual Tunnel Interfaces configured. This supports route based VPN with IPsec profiles attached to the end of each tunnel. This allows dynamic or static routes to be used. Egressing traffic from the VTI is encrypted and sent to the peer, and the associated SA decrypts the ingress traffic to the VTI.

Using VTI does away with the requirement of configuring static crypto map access lists and mapping them to interfaces. You no longer have to track all remote subnets and include them in the crypto map access list. Deployments become easier, and having static VTI which supports route based VPN with dynamic routing protocol also satisfies many requirements of a virtual private cloud.

Guidelines for Virtual Tunnel Interfaces

Context Mode and Clustering

  • Supported in single mode only.

  • No support for clustering.

Firewall Mode

Supported in routed mode only.

IPv6 Support

  • IPv6 addressed VTIs can be configured.

  • Both the tunnel source and the tunnel destination of a VTI can have IPv6 addresses.

  • Following combinations of VTI IP (or internal networks IP version) over public IP versions are supported:

    • IPv6 over IPv6

    • IPv4 over IPv6

    • IPv4 over IPv4

    • IPv6 over IPv4

  • Only static IPv6 address is supported as the tunnel source and destination.

  • The tunnel source interface can have IPv6 addresses and you can specify which address to be used as the tunnel endpoint. If you do not specify, by default, the first IPv6 global address in the list is used as the tunnel endpoint.

  • You can specify the tunnel mode as IPv6. When specified, the IPv6 traffic can be tunneled through the VTI. However, the tunnel mode can either be IPv4 or IPv6 for a single VTI.

General Configuration Guidelines

  • VTIs are only configurable in IPsec mode. To terminate GRE tunnels on an ASA is unsupported.

  • You can use BGP or static routes for traffic using the tunnel interface.

  • The MTU for VTIs is automatically set, according to the underlying physical interface. However, if you change the physical interface MTU after the VTI is enabled, you must disable and reenable the VTI to use the new MTU setting.

  • You can configure a maximum of 1024 VTIs on a device. While calculating the VTI count, consider the following:

    • Include nameif subinterfaces to derive the total number of VTIs that can be configured on the device.

    • You cannot configure nameif on member interfaces of a portchannel. Therefore, the tunnel count is reduced by the count of actual main portchannel interfaces alone and not any of its member interfaces.

    • Even if a platform supports more than 1024 interfaces, the VTI count is limited to the number of VLANs configurable on that platform. For example, if a model supports 500 VLANs, then the tunnel count would be 500 minus the number of physical interfaces configured.

  • VTI supports IKE versions v1, v2, and uses IPsec for sending and receiving data between the tunnel's source and destination.

  • If NAT has to be applied, the IKE and ESP packets will be encapsulated in the UDP header.

  • IKE and IPsec security associations will be re-keyed continuously regardless of data traffic in the tunnel. This ensures that VTI tunnels are always up.

  • The tunnel group name must match what the peer will send as its IKEv1 or IKEv2 identity.

  • For IKEv1 in Site-to-Site tunnel groups, you can use names which are not IP addresses, if the tunnel authentication method is digital certificates and/or the peer is configured to use aggressive mode.

  • VTI and crypto map configurations can co-exist on the same physical interface, provided the peer address configured in the crypto map and the tunnel destination for the VTI are different.

  • Access rules can be applied on a VTI interface to control traffic through VTI.

  • ICMP ping is supported between VTI interfaces.

  • If the ASA is terminating IOS IKEv2 VTI clients, disable the config-exchange request on IOS, because the ASA cannot retrieve the mode-CFG attributes for this L2L session initiated by an IOS VTI client.

Default Settings

  • By default, all traffic through VTI is encrypted.

  • By default, the security level for VTI interfaces is 0.

Create a VTI Tunnel

To configure a VTI tunnel, create an IPsec proposal (transform set). You will need to create an IPsec profile that references the IPsec proposal, followed by a VTI interface with the IPsec profile. Configure the remote peer with identical IPsec proposal and IPsec profile parameters. SA negotiation will start when all tunnel parameters are configured.


Note

For the ASA which is a part of both the VPN VTI domains, and has BGP adjacency on the physical interface:

When a state change is triggered due to the interface health check, the routes in the physical interface will be deleted until BGP adjacency is re-established with the new active peer. This behavior does not apply to logical VTI interfaces.


Access control lists can be applied on a VTI interface to control traffic through VTI. To permit any packets that come from an IPsec tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode.

You can use the following command to enable IPsec traffic through the ASA without checking ACLs:

hostname(config)# sysopt connection permit-vpn

When an outside interface and VTI interface have the security level of 0, if you have ACL applied on VTI interface, it will not be hit if you do not have same-security-traffic configured.

To configure this feature, use the same-security-traffic command in global configuration mode with its intra-interface argument.

Procedure


Step 1

Add an IPsec Proposal (Transform Sets).

Step 2

Add an IPsec Profile.

Step 3

Add a VTI Tunnel.


Add an IPsec Proposal (Transform Sets)

A transform set is required to secure traffic in a VTI tunnel. Used as a part of the IPsec profile, it is a set of security protocols and algorithms that protects the traffic in the VPN.

Before you begin

    • You can use either pre-shared key or certificates for authenticating the IKE session associated with a VTI. IKEv2 allows asymmetric authentication methods and keys. For both IKEv1 and IKEv2, you must configure the pre-shared key under the tunnel group used for the VTI.

    • For certificate based authentication using IKEv1, you must specify the trustpoint to be used at the initiator. For the responder, you must configure the trustpoint in the tunnel-group command. For IKEv2, you must configure the trustpoint to be used for authentication under the tunnel group command for both initiator and responder.

    Procedure


    Step 1

    Choose Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets).

    Step 2

    Configure IKEv1 or IKEv2 to establish the security association.

    • Configure IKEv1.

    1. In the IKEv1 IPsec Proposals (Transform Sets) panel, click Add.

    2. Enter the Set Name.

    3. Retain the default selection of the Tunnel check box.

    4. Select ESP Encryption and ESP Authentication.

    5. Click OK.

    • Configure IKEv2.

    1. In the IKEv2 IPsec Proposals panel, click Add.

    2. Enter the Name, and Encryption.

    3. Choose the Integrity Hash.

    4. Click OK.


    Add an IPsec Profile

    An IPsec profile contains the required security protocols and algorithms in the IPsec proposal or transform set that it references. This ensures a secure, logical communication path between two site-to-site VTI VPN peers.

    Procedure


    Step 1

    Choose Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets).

    Step 2

    In the IPsec Profile panel, click Add.

    Step 3

    Enter the IPsec profile Name.

    Step 4

    Enter the IKE v1 IPsec Proposal or the IKE v2 IPsec Proposal created for the IPsec profile. You can choose either an IKEv1 transform set or an IKEv2 IPsec proposal.

    Step 5

    If you need an end of the VTI tunnel to act only as a responder, check the Responder only check box.

    • You can configure one end of the VTI tunnel to perform only as a responder. The responder-only end will not initiate the tunnel or rekeying.

    • If you are using IKEv2, set the duration of the security association lifetime greater than the lifetime value in the IPsec profile in the initiator end. This is to facilitate successful rekeying by the initiator end and ensure that the tunnels remain up.

    • If the rekey configuration in the initiator end is unknown, remove the responder-only mode to make the SA establishment bi-directional, or configure an infinite IPsec lifetime value in the responder-only end to prevent expiry.

    Step 6

    (Optional) Check the Enable security association lifetime check box, and enter the security association duration values in kilobytes and seconds.

    Step 7

    (Optional) Check the PFS Settings check box to enable PFS, and select the required Diffie-Hellman Group.

    Perfect Forward Secrecy (PFS) generates a unique session key for each encrypted exchange. This unique session key protects the exchange from subsequent decryption. To configure PFS, you have to select the Diffie-Hellman key derivation algorithm to use when generating the PFS session key. The key derivation algorithms generate IPsec security association (SA) keys. Each group has a different size modulus. A larger modulus provides higher security, but requires more processing time. You must have matching Diffie-Hellman groups on both peers.

    This establishes the strength of the of the encryption-key-determination algorithm. The ASA uses this algorithm to derive the encryption and hash keys.
    Step 8

    (Optional) Check the Enable sending certificate check box, and select a Trustpoint that defines the certificate to be used while initiating a VTI tunnel connection. Check the Chain check box, if required.

    Step 9

    Click OK.

    Step 10

    In the IPsec Proposals (Transform Sets) main panel, click Apply.

    Step 11

    In the Preview CLI Commands dialog box, click Send.


    Add a VTI Interface

    To create a new VTI interface and establish a VTI tunnel, perform the following steps:


    Note

    Implement IP SLA to ensure that the tunnel remains up when a router in the active tunnel is unavailable. See Configure Static Route Tracking in the ASA General Operations Configuration Guide in http://www.cisco.com/go/asa-config.


    Procedure


    Step 1

    Choose Configuration > Device Setup > Interface Settings > Interfaces.

    Step 2

    Choose Add > VTI Interface. The Add VTI Interface window appears.

    Step 3

    In the General tab, enter the VTI ID. This can be any value from 0 to 10413. Up to 1024 VTI interfaces are supported.

    Note 

    If you will be migrating configurations from other devices to ASA 5506 devices, use the tunnel ID range of 1 - 100. This is to ensure compatibility of tunnel range of 1 - 100 available in ASA 5506 devices.

    Step 4

    Enter the Interface Name.

    Ensure the Enable Interface checkbox is checked.
    Step 5

    Enter the source IP Address of the tunnel and the Subnet Mask.

    Step 6

    Click the Advanced tab.

    All the fields need to have valid values or selections for the tunnel to be displayed in the VPN Wizard.

    Step 7

    Enter the Destination IP address.

    Step 8

    Select the Source Interface.

    Step 9

    Select the IPsec profile in the Tunnel Protection with IPsec Profile field.

    Step 10

    Check the Ensure the Enable Tunnel Mode IPv4 IPsec check box.

    Step 11

    Click OK.

    Step 12

    In the Interfaces panel, click Apply.

    Step 13

    In the Preview CLI Commands dialog box, click Send.

    After the updated configuration is loaded, the new VTI appears in the list of interfaces. This new VTI can be used to create an IPsec site-to-site VPN.


    Feature History for Virtual Tunnel Interface

    Feature Name

    Releases

    Feature Information

    Local tunnel ID support

    9.17(1)

    ASA supports unique local tunnel ID that allows ASA to have multiple IPsec tunnel behind a NAT to connect to Cisco Umbrella Secure Internet Gateway (SIG). The local identity is used to configure a unique identity per IKEv2 tunnel, instead of a global identity for all the tunnels.

    Support for IPv6 on Static VTI

    9.16(1)

    ASA supports IPv6 addresses in Virtual Tunnel Interfaces (VTI) configurations.

    A VTI tunnel source interface can have an IPv6 address, which you can configure to use as the tunnel endpoint. If the tunnel source interface has multiple IPv6 addresses, you can specify which address to be used, else the first IPv6 global address in the list is used by default.

    The tunnel mode can be either IPv4 or IPv6, but it must be the same as IP address type configured on VTI for the tunnel to be active. An IPv6 address can be assigned to the tunnel source or the tunnel destination interface in a VTI.

    Support for 1024 VTI interfaces per device

    9.16(1)

    The number of maximum VTIs to be configured on a device has been increased from 100 to 1024.

    Even if a platform supports more than 1024 interfaces, the VTI count is limited to the number of VLANs configurable on that platform. For example, ASA 5510 supports 100 VLANs, the tunnel count would be 100 minus the number of physical interfaces configured.

    New/Modified screens: None

    DHCP Relay Server Support on VTI

    9.14(1)

    ASA allows VTI interfaces to be configured as DHCP relay server connecting interfaces.

    We modified the following screen to specify a VTI interface for DHCP relay:

    Configuration > Device Management > DHCP > DHCP Relay > DHCP Relay Interface Servers

    Support for IKEv2, certificate based authentication, and ACL in VTI

    9.8.(1)

    Virtual Tunnel Interface (VTI) now supports BGP (static VTI). You can now use IKEv2 in standalone and high availability modes. You can use certificate based authentication by setting up a trustpoint in the IPsec profile. You can also apply access lists on VTI using access-group commands to filter ingress traffic.

    We introduced options to select the trustpoint for certificate based authentication in the following screen:

    Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets) > IPsec Profile > Add

    Virtual Tunnel Interface (VTI) support

    9.7.(1)

    The ASA is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.

    We introduced the following screens:

    Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets) > IPsec Profile

    Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets) > IPsec Profile > Add > Add IPsec Profile

    Configuration > Device Setup > Interface Settings > Interfaces > Add > VTI Interface

    Configuration > Device Setup > Interface Settings > Interfaces > Add > VTI Interface > General

    Configuration > Device Setup > Interface Settings > Interfaces > Add > VTI Interface > Advanced