Benefits
- Supports multicast encryption---Customers can use the Cisco IOS Software IPSec VTIs to transfer the multicast traffic, control traffic, or data traffic
- Provides a routable interface---Cisco IOS Software IPSec VTIs can support all types of IP routing protocols.
- Improves scaling---IPSec VTIs need fewer established security associations to cover different types of traffic, both unicast and multicast, thus enabling improved scaling.
- Offers flexibility in defining features---An IPSec VTI is an encapsulation within its own interface.
An IPSec virtual tunnel configuration does not require a static mapping of IPSec sessions to a physical interface. This allows for the flexibility of sending and receiving encrypted traffic on any physical interface, such as in the case of multiple paths. Traffic is encrypted when it is forwarded from or to the tunnel interface. The traffic is forwarded to or from the tunnel interface by virtue of the IP routing table. Dynamic or static IP routing can be used to route the traffic to the encryption engine. Using IP routing to forward the traffic to encryption simplifies the IPSec VPN configuration when compared with using access control lists (ACLs) with the crypto map in native IPSec configuration.
- Dynamic routing---Dynamic routing is used in this configuration to propagate the remote network addresses to the local site. Using dynamic routing simplifies manageability of the IPSec network and enables it to expand without having to manually maintain reach information.
- Quality of service (QoS)---QoS can be used to improve the performance of different applications across the network. In this configuration, traffic shaping is used between the two sites to limit the total amount of traffic that should be transmitted between the two sites. Additionally, the QoS configuration can support any combination of QoS features offered in Cisco IOS Software to support any of the voice, video, or data applications.
Scenario:
- R1 config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 172.20.1.6
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto ipsec profile VTI
set transform-set 3DES
interface Tunnel100
ip address 192.168.1.2 255.255.255.252
tunnel source 172.20.1.2
tunnel destination 172.20.1.6
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
- R2 config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 172.20.1.2
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto ipsec profile VTI
set transform-set 3DES
interface Tunnel100
ip address 192.168.1.1 255.255.255.252
tunnel source 172.20.1.6
tunnel destination 172.20.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
Verification:
R1#show crypto ipsec profile
IPSEC profile VTI
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
3DES,
}
R1#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1004 172.20.1.2 172.20.1.6 ACTIVE 3des md5 psk 1 21:27:07
Engine-id:Conn-id = SW:4
R1#show crypto ipsec sa detail
interface: Tunnel100
Crypto map tag: Tunnel100-head-0, local addr 172.20.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 172.20.1.6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.20.1.2, remote crypto endpt.: 172.20.1.6
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x635E3D56(1667120470)
No comments:
Post a Comment