Configuring a Cisco IOS VTI based tunnel

IPSec VTIs (Virtual Tunnels Interfaces) simplifies the configuration of a VPN compared to using crypto maps or GRE IPSec Tunnels. A benefit of using VTIs does not require of tying a configuration to a physical interface, rather allowing bespoke configuration per VTI. You can use a dynamic routing protocol (EIGRP, OSPF etc) or QoS defined per VTI.

VTI Configuration Example using defaults


To setup a basic VTI based site-to-site VPN you can use the Crypto defaults (ISAKMP Policy, IPSec Transform Set and IPSec Profile), in addition to the VTI the only crypto configuration needs to be a Pre-Shared Key.

Step 1 – Define a Pre-Shared Key

R1(config)# crypto isakmp key cisco123 address 0.0.0.0

Step 2 – Configure Tunnel Interface

R1(config)# interface tunnel 0
R1(config-if)# ip address 10.10.0.1 255.255.255.0
R1(config-if)# tunnel source fastethernet 0/0
R1(config-if)# tunnel destination 1.1.1.2
R1(config-if)# tunnel mode ipsec ipv4
R1(config-if)# tunnel protection ipsec profile default

Full Configuration

interface fastethernet 0/0
ip address 1.1.1.1 255.255.255.0
no shutdown

crypto isakmp key cisco123 address 0.0.0.0

 interface tunnel 0
ip address 10.10.0.1 255.255.255.0
tunnel source fastethernet 0/0
tunnel destination 1.1.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile default

router eigrp 1
network 10.10.0.0 0.0.0.255

The same configuration above can be applied to the peer router changing only the Fa0/0, Tu0 interface ip addresses and the tunnel destination.

VTI Configuration Example (with custom ISAKMP Policy, IPSec Transform Set and IPSec Profile)


The default IOS crypto settings may or may not be deemed sufficient, to specify stronger encryption/hashing algorithm etc for the VPN create an ISAKMP Policy, Transform Set and IPSec Profile.

Step 1 – Create an ISAKMP Policy

  • Cisco IOS routers have 8 default IKE Policies with a priority starting at 65507, each with different encryption/authentication/hashing/DH Group configuration specified.
  • A router will use an ISAKMP Policy with the lowest # (priority) assuming both peers agree on the same properties.
  • When creating an ISAKMP Policy you must specify the encryption algorithm, authentication, hash algorithm, key exchange group and lifetime of the IKE session.

R1(config)# crypto isakmp policy 10
R1(config-isakmp)# encryption aes 192
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# hash sha 256
R1(config-isakmp)# group 15
R1(config-isakmp)# lifetime 86400

Step 2 – Define a Pre-Shared Key

R1(config)# crypto isakmp key cisco123 address 0.0.0.0

Step 3 – Create an IPSec Transform Set

R1(config)# crypto ipsec transform-set TSET esp-aes 192 esp-sha256-hmac

Step 4 – Create an IPSec Profile

  • The IPSec Profile references the previously created Transform Set

R1(config)# crypto ipsec profile IPSEC_PROFILE
R1(ipsec-profile)# set transform-set TSET

Step 5 – Create a Tunnel Interface

  • Create a tunnel interface identify the peer (destination) IP address and reference the previously create IPSec Profile

R1(config)# interface tunnel 0
R1(config-if)# ip address 10.10.0.1 255.255.255.0
R1(config-if)# tunnel source fastethernet 0/0
R1(config-if)# tunnel destination 1.1.1.2
R1(config-if)# tunnel mode ipsec ipv4
R1(config-if)# tunnel protection ipsec profile IPSEC_PROFILE

Full Configuration

interface fastethernet 0/0
ip address 1.1.1.1 255.255.255.0
no shutdown

crypto isakmp policy 10
encryption aes 192
authentication pre-share
hash sha 256
group 15
lifetime 86400

crypto isakmp key cisco123 address 0.0.0.0

crypto ipsec transform-set TSET esp-aes 192 esp-sha256-hmac

crypto ipsec profile IPSEC_PROFILE
set transform-set TSET

interface tunnel 0
ip address 10.10.0.1 255.255.255.0
tunnel source fastethernet 0/0
tunnel destination 1.1.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE

router eigrp 1
network 10.10.0.0 0.0.0.255

The same configuration above can be applied to the peer router changing only the Fa0/0, Tu0 interface ip addresses and the tunnel destination.

Verify IKE and IPSec SAs

Use the command “show crypto isakmp sa” to verify IKE Phase 1 is complete, state “QM_IDLE” confirms completed.


Use the command “show crypto isakmp sa detail” to confirm the parameters used in IKE Phase 1.

Use the command “show crypto isakmp policy” to display the parameters of the ISAKMP Policies. From the output above and below we can determine ISAKMP Policy 10 was used to complete IKE Phase 1 (note using DH group 15).

With the state of IKE Phase 1 in “QM_IDLE” we can determine the IKE (ISAKMP) SAs between the 2 peers are established correctly.

Use the command “show crypto ipsec sa” to display the IPSec SA. Confirm packets are being successfully encrypted and decrypted.

You can also determine which transform is being used in IKE Phase 2. Confirm this by using the command “show crypto ipsec transform-set”. In this instance the default transform-set is being used (esp-aes esp-sha-hmac).


One thought on “Configuring a Cisco IOS VTI based tunnel”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s