VTI tunnels vs InterVLAN

Similar Messages

• Is it possible to create a VTI tunnel from my 877 router to my ASA

  Hi all
  I woulke like to know is it possible to create a VTI tunnel from my 877 router to my ASA, rather than creating a cryptomap on the router ?
  cheers
  Carl

  Yes you can
  Forgot to add that it possible when configuring ezvpn where the 877 is a remote client and Asa server
  Sent from Cisco Technical Support iPhone App

• VTI tunnel & OSPF

  Hi all,
  I have configured VTI tunnel interfaces (tunnel mode ipsec ipv4) and OSPF on that interfaces.
  VTI is encrypting all data traffic. But what about OSPF traffic?
  Is OSPF traffic encrypted also or I need to configure OSPF authentication?
  Thanks

  OSPF exchange is already encrypted inside of the tunnel, so u don't have to use ospf-authentication. OSPF uses tunnel IP addresses for communications, and traffic flow between those two addresses is possible only throught the secure tunnel.

• VTI tunnel problem

  Hi all,
  We have VTI tunnels between Cisco (3825 and 878) and Juniper (SRX3600).
  Sometimes tunnel is going down and I should manualy shutdown and no shutdown tunnel interface to bring it up.
  This is logs from Cisco:
  %%crypto-4-recvd_pkt_inv_spi: decaps: rec'd ipsec packet has invalid spi for destaddr=X.Y.100.200, prot=50, spi=0xc5d07a33(3318774323), srcaddr=X.Y.100.100
  %%crypto-4-ikmp_no_sa: ike message from X.Y.100.100 has no sa and is not an initialization offer
  X.Y.100.100 is Juniper SRX3600
  X.Y.100.200 is Cisco 3825
  But I see this logs more often, than tunnel is going down!
  So what is problem?
  Thanks

  Hello,
  this should help #crypto           isakmp invalid-spi-recovery
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080bf6100.shtml
  Best Regards
  Please rate all helpful posts and close solved questions

• Static VTI tunnel to asa

  Hi All,
  I need to connect some routers to an ASA using IPSec tunnels. The goal is to get netflow traffic from the routers to a collector behide an ASA using IPSec tunnels.
  Recently I found out (locally orginated) netflow isn't properly encrypted when send through an IPSec tunnel (http://www.plixer.com/blog/network-traffic-analysis/sending-netflow-over-ipsec-tunnels/. The workaround seems to be using flexible netflow (which my collector doesn't support) or using a real tunnel interface on the router.
  This implies I need to use:
  - IPSec/GRE
  - EzVPN with DVTI
  - SVTI...?
  Since GRE is not supported on the ASA and I want the tunnel to be always active, implementing static VTI tunnels might be a good idea. So I would like to use something like this on the router.
  interface Tunnel0
  ip unnumberd loopback0
  tunnel source x.x.x.x
  tunnel destination y.y.y.y
  tunnel mode ipsec ipv4
  My question is, does anybody know if you can build an IPSec tunnel between an ASA and a router, using a SVTI interface on the router? A code sample for the ASA and the router would be more than welcome.
  Regards

  Hi Hielke ,
  if you managed to match the SAs proposed by the router when using SVTI which is any to any , and you will do this on the ASA using a crypto map access-list as follow :
  access-list crypto VPN permit ip any any
  then all traffic leaving the interface where the crypto map is applied will be subject to encryption , which is not practical in most cases .you may use different  interface (on the ASA) to this tunnel with the SVTI as it will use any any and that traffic is different than the one leaving the outside interface .
  so as Marcin this will not scale for you
  HTH
  Mohammad.

• VTI Tunnel Bandwidth Statements

  What is the proper way to set bandwidth statements on VTI/GRE tunnels over an MPLS network when different locations have different bandwidth capacities?
  For example:
  Location 1 - DS3 - 44mbps
  Location 2 - DS1 - 1.5mbps
  Would I put 'bandwidth 1500' on both ends of the tunnel or would I put 'bandwidth 44000' on the DS3 side and 'bandwidth 1500' on the DS1.

  Hi Peter,
  To my knowledge, bandwidth statement will not restrict the volume of traffic. Instead it is just a parameter used for control plane calculations. If you really want to restrict the volume of traffic flowing over these interfaces, you may have to think of shaping the same.
  HTH,
  Nagendra

• Virtual Tunnel Interface (VTI) Hub Router Configuration

  When configuring multiple VTI tunnels on a hub router, is it recommended that each tunnnel use a unique transform-set and ipsec profile, or they can all share the same configuration.
  Example:
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key ******** address 0.0.0.0 0.0.0.0
  crypto isakmp keepalive 10
  crypto ipsec transform-set TSET esp-3des esp-sha-hmac
  crypto ipsec profile VTI
  set transform-set TSET
  Thanks.-

  Hi,
  The IPsec profile can be shared.
  You could also create multiple transform set and reference it to IPsec profile and then apply it to a specific VTI.
  Sent from Cisco Technical Support iPhone App

• OSPF with ipsec VTI interface goes down before dead timer.

  I have a strange issue that OSPF will initially start working, hellos are exchanged both ways but then after about 3 – 6 hellos one of the sides stops getting them and the ipsec VTI tunnel drops on router A even before the dead timer reaches 0. Is this default behavior, when OSPF is over a VTI interface if it doesn’t receive hellos is drops the tunnel?
  I’m at a loss as to what is going on since it looks like only one neighbor stops receiving hellos, router A, for a brief period of time. This VTI tunnel is going over another provider’s FW and they have assured me the tunnel destination/source ips are wide open they also sent me the ACL and I can verify this. The weird thing is if I enable EIGRP it works great with no issues. On router B I am using the same source/ip unnumbered  interface on multiple VTI tunnels to to other destinations but this shouldn’t cause any issues I don’t think. I have never had an issue like this and from what I can tell the router A just stops briefly getting hellos after 3 – 6 initial hellos and drops the protocol on the VTI interface. If I set the dead timer on router A long enough it will stop receiving hellos but stay up and then after a while you get “LOADING to FULL” as the hellos start coming in again.  Again the tunnel goes over a cisco 800 which I have no control over it and a potential FW before that but I saw the ACL and ip is being allowed. I was thinking this could be a trolling issue on the FW but it doesn’t explain why EIGRP works.  FYI I was having a recursive routing issue before but I have since fixed that and the issue still continues.
  ********  it turns out that i was using the same source ip on multiple tunnels. IPsec would get confused with packets coming in and would deliver packets to the wrong tunnel interface. This was solved but using the key command with a different key number on each set of tunnels with the shared profile command
  "If more than one mGRE tunnel is configured on a router that use the same tunnel source address, the shared keyword must be added to the tunnel protection command on all such tunnel interfaces. Each mGRE tunnel interface still requires a unique tunnel key, NHRP network-ID, and IP subnet address. This is common on a branch router when a dual DMVPN cloud topology is deployed. "
  Router A:
  router ospf 1
  router-id 10.213.22.2
  passive-interface default
  network x.x.97.26 0.0.0.0 area 0
  interface Tunnel1
  ip unnumbered GigabitEthernet0/1
  ip virtual-reassembly in
  ip tcp adjust-mss 1398
  ip ospf network point-to-point
  load-interval 30
  tunnel source GigabitEthernet0/1
  tunnel mode ipsec ipv4
  tunnel destination x.x.173.109
  tunnel path-mtu-discovery
  tunnel protection ipsec profile VTI-to-NB
  router B:
  router ospf 1
  router-id 172.17.2.6
  priority 1
  redistribute static subnets route-map Lan-static-RM
  passive-interface default
  no passive-interface Tunnel1
  no passive-interface Tunnel4
  no passive-interface Tunnel5
  network x.x.173.109 0.0.0.0 area 0
  network 172.17.2.6 0.0.0.0 area 0
  network 192.168.1.47 0.0.0.0 area 0
  interface Tunnel4
  ip unnumbered GigabitEthernet0/2
  ip virtual-reassembly in
  ip tcp adjust-mss 1398
  ip ospf network point-to-point
  load-interval 30
  tunnel source GigabitEthernet0/2
  tunnel mode ipsec ipv4
  tunnel destination x.x.97.26
  tunnel path-mtu-discovery
  tunnel protection ipsec profile VTI_NB_to_dorrance_prv
  end
  thanks P

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  I haven't studied your config, but I can tell you I have production environment using OSPF across VTI  (and GRE, and GRE/IPSec and DMVPN) tunnels without issue.  I.e. so OSPF can be okay with VTI tunnels.

• SRX Using DHCP on UNTRUST (BRANCH)-- Connected to Static VTI Cisco Router (HQ)

  Good morning Gentlemen, I need some advice.  I am primarily a cisco IOS chap, but have recently been delving into some JUNOS action.
  I cannot find an example on the Juniper Forums/Documentation or the Cisco Forums/Documentation to my specific Issue.
  Firstly, I am not interested in Policy Based VPNs.   I do not know if it is possible to use a DHCP assigned public address on remote device with a "static VTI" - when using IKE identities. However as Phase one is up, I think the issue is more to do with Phase2 proposals when not explicitly defining a Tunnel destination.
  In the scenario I am trying to sort now, I have an SRX-100 device, that gets its public address from a DHCP server.
  I have back at the HQ, a cisco router.  
  The Cisco router has various VTI tunnels out to other branch devices, that are smaller Cisco routers. These VTI tunnels are working fine - note all using static Public IP's 
  I have my phase1 up fine, (from both sides' perspective) and am sending a local-identity hostname instead of a defining a destination address on the Tunnel on the cisco side.
  JUNIPER
  Index State Initiator cookie Responder cookie Mode Remote Address
  5048723 UP 41ee08a4a0fde661 517176fea0f23989 Aggressive 4.4.4.4
  CISCO
  IPv4 Crypto ISAKMP SA
  dst src state conn-id status
  4.4.4.4 1.1.1.1 QM_IDLE 1110 ACTIVE NICK-SRX-ISAKMP-PROFILE
  A working VTI tunnel has an SA of : (cisco perspecive)
  local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
  remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
  I have tried sending this as the proxy-id on the Juniper to no avail.
  The error is still :
  *Jun 6 10:20:07.244: ISAKMP1110):atts are acceptable.
  IPSec policy invalidated proposal with error 64
  *Jun 6 10:20:07.244: ISAKMP1110): phase 2 SA policy not acceptable!
  The IPSEC transform-Set attributes are accepted though,
  transform 0, ESP_3DES
  *Jun 6 10:20:07.244: ISAKMP: attributes in transform:
  *Jun 6 10:20:07.244: ISAKMP: authenticator is HMAC-SHA
  *Jun 6 10:20:07.244: ISAKMP: SA life type in seconds
  *Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 
  *Jun 6 10:20:07.244: ISAKMP: SA life type in kilobytes
  *Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 
  *Jun 6 10:20:07.244: ISAKMP: encaps is 1 (Tunnel)
  *Jun 6 10:20:07.244: ISAKMP1110):atts are acceptable.
  So it is something to do with the SA/Proxy ID's being sent.
  here is the Juniper Config:
  proposal IKE-SHA-AES128-DH2 {
  authentication-method pre-shared-keys;
  dh-group group2;
  authentication-algorithm sha1;
  encryption-algorithm aes-128-cbc;
  lifetime-seconds 86400;
  policy IKE-POLICY-HQ {
  mode aggressive;
  proposals IKE-SHA-AES128-DH2;
  pre-shared-key ascii-text "secretkey";
  gateway IKE-GATEWAY {
  ike-policy IKE-POLICY-HQ;
  address 4.4.4.4;
  local-identity hostname knuckles.net;
  external-interface fe-0/0/0.0;
  proposal HQ-IPSEC-PROPOSAL {
  protocol esp;
  authentication-algorithm hmac-sha1-96;
  encryption-algorithm 3des-cbc;
  lifetime-seconds 3600;
  lifetime-kilobytes 4608000;
  policy HQ-IPSEC-POLICY {
  proposals HQ-IPSEC-PROPOSAL;
  vpn ROUTE-BASED-VPN-TO-HQ {
  bind-interface st0.0;
  ike {
  gateway IKE-GATEWAY;
  ipsec-policy HQ-IPSEC-POLICY;
  establish-tunnels immediately;
  st0 {
  unit 0 {
  family inet {
  address 10.1.1.2/30;
  CISCO SIDE:
  crypto isakmp policy 2
  encr aes
  authentication pre-share
  group 2
  crypto keyring NICK-SRX 
  pre-shared-key hostname knuckles.net key secretkey
  crypto isakmp profile NICK-SRX-ISAKMP-PROFILE
  keyring default
  keyring NICK-SRX
  match identity host knuckles.net
  initiate mode aggressive
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
  mode tunnel
  crypto ipsec profile NICK-SRX-IPSEC-PROFILE
  set transform-set ESP-3DES-SHA 
  set isakmp-profile NICK-SRX-ISAKMP-PROFILE
  interface Tunnel1
  description HQ to NC-SRX
  ip address 10.1.1.1 255.255.255.252
  tunnel source 4.4.4.4
  tunnel mode ipsec ipv4
  tunnel destination dynamic
  tunnel protection ipsec profile NICK-SRX-IPSEC-PROFILE
  FYI - If I use the Provider given DHCP address on the Cisco Tunnel config, as a destination - the tunnel comes up immediately....So ' thinking this may be a limitation of static VTI. I have not tested the IKE identity on a remote cisco router also using VTI yet. 
  e.g.
  interface Tunnel1
  description HQ to NC-SRX
  ip address 10.1.1.1 255.255.255.252
  tunnel source 4.4.4.4
  tunnel mode ipsec ipv4
  tunnel destination 1.1.1.1
  tunnel protection ipsec profile NICK-SRX-IPSEC-PROFILE
  So I guess my question is Is this possible using a static VTI?
  What does this comand do - does it turn on dynamic VTI (all that virtual-template business)- or just tell the tunnel to expect and IKE identity?
  tunnel destination dynamic
  Does Dynamic VTI work with Different Vendors, and if so how can you control what VRF is assigned to the tunnels - I will need in the future multiple VRF's for each branch device, some using DHCP public addresses.
  The VTI design guide does not mention Identity IKE for branch sites without using dynamic VTI.  
  I would like to avoid using the whole easyVPN / dynamic VTI, as I need to use multiple VRF;s on the endpoints.

  Perhaps this fellow has cracked it - is this the only way ???
  https://supportforums.cisco.com/document/58076/dynamic-ip-dynamic-ip-ipsec-vpn-tunnel

• Mixed Config: VTI and classic ipsec

  Is there an issue with running these together on the same router?
  I'm just trying to get a migration plan together to move to VTI.

  Cisco IPSec VTIs are a new tool that customers can use to configure IPSec-based VPNs between site-to-site devices. IPSec VTI tunnels provide a designated pathway across a shared WAN and encapsulate traffic with new packet headers, which helps to ensure delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. In addition, IPSec provides true confidentiality (as does encryption) and can carry encrypted traffic.
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper0900aecd8029d629.shtml

• IPSEC VTI and OSPF

  I have 5 routers (soon to be 6) with tunnels (all VTI) between them.
  I also have a basic OSPF setup running here (previously it was RIP), and all networks can talk to each other, however there is one routing issue, where it takes a longer path to the remote network.
  The Configs:
  R1:
  interface Tunnel0
  description tunnel to detroit office
  ip address 172.28.40.1 255.255.255.0
  ip ospf network broadcast
  ip ospf mtu-ignore
  tunnel source xx
  tunnel destination xxx
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VTI
  interface Tunnel1
  description tunnel to San Diego Office
  ip address 172.28.42.1 255.255.255.0
  ip ospf network broadcast
  ip ospf mtu-ignore
  tunnel source xxx
  tunnel destination xxx
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VTI
  interface Tunnel2
  description tunnel to Detroit DC
  ip address 172.28.43.1 255.255.255.0
  ip ospf network broadcast
  ip ospf mtu-ignore
  tunnel source xxx
  tunnel destination xx
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VTI
  interface Tunnel3
  description tunnel to detroit office - standby
  ip address 172.28.51.1 255.255.255.0
  ip ospf network broadcast
  ip ospf mtu-ignore
  tunnel source GigabitEthernet0/0
  tunnel destination xxx
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VTI
  router ospf 42
  log-adjacency-changes
  network 10.87.1.0 0.0.0.255 area 0
  network 172.28.40.0 0.0.0.255 area 0
  network 172.28.42.0 0.0.0.255 area 0
  network 172.28.43.0 0.0.0.255 area 0
  network 172.28.51.0 0.0.0.255 area 0
  cerberus#sh ip route ospf
       172.28.0.0/24 is subnetted, 7 subnets
  O       172.28.49.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1
  O       172.28.50.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1
  O       172.28.41.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1
                      [110/2000] via 172.28.40.2, 05:47:06, Tunnel0
       10.0.0.0/24 is subnetted, 2 subnets
  O       10.87.2.0 [110/2001] via 172.28.42.2, 05:47:06, Tunnel1
  O    192.168.1.0/24 [110/1001] via 172.28.42.2, 05:47:06, Tunnel1
  O    192.168.2.0/24 [110/1001] via 172.28.40.2, 05:47:06, Tunnel0
  cerberus#
  As you can see for 10.87.2.x it is going through the 192 network, when it has a direct tunnel through tunnel 2
  R2:
  interface Tunnel0
  description tunnel to AIS San Diego
  ip address 172.28.42.2 255.255.255.0
  ip ospf network broadcast
  ip ospf mtu-ignore
  tunnel source GigabitEthernet0
  tunnel mode ipsec ipv4
  tunnel destination xxx
  tunnel protection ipsec profile VTI
  interface Tunnel1
  description tunnel to detroit office
  ip address 172.28.41.1 255.255.255.0
  ip ospf network broadcast
  ip ospf mtu-ignore
  tunnel source GigabitEthernet0
  tunnel mode ipsec ipv4
  tunnel destination xxx
  tunnel protection ipsec profile VTI
  interface Tunnel2
  description tunnel to Detroit Data Center
  ip address 172.28.49.1 255.255.255.0
  ip ospf network broadcast
  ip ospf mtu-ignore
  tunnel source GigabitEthernet0
  tunnel mode ipsec ipv4
  tunnel destination xxx
  tunnel protection ipsec profile VTI
  interface Tunnel3
  description tunnel to Detroit t1 router
  ip address 172.28.50.1 255.255.255.0
  ip ospf network broadcast
  ip ospf mtu-ignore
  tunnel source GigabitEthernet0
  tunnel mode ipsec ipv4
  tunnel destination xxx
  tunnel protection ipsec profile VTI
  router ospf 42
  log-adjacency-changes
  network 172.28.41.0 0.0.0.255 area 0
  network 172.28.42.0 0.0.0.255 area 0
  network 172.28.49.0 0.0.0.255 area 0
  network 172.28.50.0 0.0.0.255 area 0
  network 192.168.1.0 0.0.0.255 area 0
  #sh ip route ospf
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is 24.43.240.137 to network 0.0.0.0
        10.0.0.0/24 is subnetted, 2 subnets
  O        10.87.1.0 [110/1001] via 172.28.42.1, 03:55:51, Tunnel0
  O        10.87.2.0 [110/1001] via 172.28.49.2, 03:55:51, Tunnel2
        172.28.0.0/16 is variably subnetted, 11 subnets, 2 masks
  O        172.28.40.0/24 [110/2000] via 172.28.42.1, 03:55:51, Tunnel0
                          [110/2000] via 172.28.41.2, 03:55:51, Tunnel1
  O        172.28.43.0/24 [110/2000] via 172.28.49.2, 03:55:51, Tunnel2
                          [110/2000] via 172.28.42.1, 03:55:51, Tunnel0
  O        172.28.51.0/24 [110/2000] via 172.28.50.2, 03:55:51, Tunnel3
                          [110/2000] via 172.28.42.1, 03:55:51, Tunnel0
  O     192.168.2.0/24 [110/1001] via 172.28.50.2, 03:55:51, Tunnel3
                       [110/1001] via 172.28.41.2, 03:55:51, Tunnel1
  r2 is the route that r1 ends up using when connecting to 10.87.2.x
  Any advice on one, how to fix this, and two on the general setup would be wonderful. I am new to ospf and feels like I could have done a better job here (maybe using an area per site)

  R2 is the router R1 is using to get to the destination that Tunnel 1 on R1 is connected to
  Tunnel 1 on R3 is a VTI tunnel to Tunnel 3 on R1.
  R1 is currently using tunnel 1 on R1 to hop to R2 and then uses tunnel 2 to get to R3
  If that makes sense.. 
  Here is the config for R3
  interface Tunnel1
  description tunnel to AIS San Diego
  ip address 172.28.43.2 255.255.255.0
  ip ospf mtu-ignore
  tunnel source xxx
  tunnel destination xxx
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VTI
  interface Tunnel2
  description tunnel to San Diego Main Office
  ip address 172.28.49.2 255.255.255.0
  ip ospf network broadcast
  ip ospf mtu-ignore
  tunnel source xxx
  tunnel destination xxx
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VTI
  router ospf 42
  log-adjacency-changes
  network 10.87.2.0 0.0.0.255 area 0
  network 172.28.43.0 0.0.0.255 area 0
  network 172.28.49.0 0.0.0.255 area 0
  sh ip route
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route
  Gateway of last resort is 199.16.189.209 to network 0.0.0.0
       172.28.0.0/24 is subnetted, 7 subnets
  C       172.28.49.0 is directly connected, Tunnel2
  O       172.28.50.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2
  O       172.28.51.0 [110/3000] via 172.28.49.1, 02:32:05, Tunnel2
  O       172.28.40.0 [110/3000] via 172.28.49.1, 02:32:05, Tunnel2
  O       172.28.41.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2
  O       172.28.42.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2
  C       172.28.43.0 is directly connected, Tunnel1
       10.0.0.0/24 is subnetted, 2 subnets
  O       10.87.1.0 [110/2001] via 172.28.49.1, 02:32:05, Tunnel2
  C       10.87.2.0 is directly connected, GigabitEthernet0/1
       199.16.189.0/28 is subnetted, 1 subnets
  C       199.16.189.208 is directly connected, GigabitEthernet0/0
  O    192.168.1.0/24 [110/1001] via 172.28.49.1, 02:32:05, Tunnel2
  O    192.168.2.0/24 [110/2001] via 172.28.49.1, 02:32:05, Tunnel2

• IPSec VPN with VTI behind DSL router

  Hi All,
  Is it possible to use a vti tunnel interface on a router when the outside interface has a private IP address connected to a DSL modem with a static public IP address, in other words the router sits behind the DSL modem?
  Router gi0/1        -->        DSL Modem     -->     Internet  --> to HQ (Firewall with static IP)
  Outside 192.168.1.2            WAN static public IP
                                                         LAN 192.168.1.1
  Interface config:
  interface GigabitEthernet0/1
   ip vrf forwarding Internet-VRF
   ip address 192.168.1.2 255.255.255.0
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
  end
  Tunnel config:
  crypto isakmp policy 282
   encr aes 256
   authentication pre-share
   group 2
   lifetime 28800
   hash sha
  crypto isakmp key 0 PSK address xxx.xxx.xxx.xxx
  crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
   mode tunnel
  crypto ipsec profile VPN
   set transform-set aes256-sha
   set pfs group2
  interface Tunnel1
   ip vrf forwarding Internet-VRF
   ip address 172.27.82.254 255.255.255.252
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   tunnel source Gi0/1
   tunnel mode ipsec ipv4
   tunnel destination xxx.xxx.xxx.xxx
   tunnel protection ipsec profile VPN
  I have been digging into Cisco documentation but have no answer found.
  Thanks in advance.

  Both the remote and hub router will detect existence of NAT device in between, which caused the both routers switching over from UDP port 500 to UDP port 4500 to exchange IKE message. I can suspect there is no switch over taking place from you log(both using UDP 500), So I suggest you validate if both routers support NAT-T feature by checking if they are listening on UDP port 4500?

• %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1777, sequence number=161369

  I have a pair of 3945E routers I use as redundant VPN head-ends in our data center and numerous 2901 and one 2951 used as spoke routers.  Each of the spokes is connected to the 3945's over VTI tunnels three and four.  We regularly see replay errors occur, but this morning, we had it get disruptive enough on one of the tunnels on the 2951 where we were experienced 80 to 90 percent packet loss across that one tunnel.  This caused an outage which I was only able to rectify by shutting down the tunnel interface on each router and bringing them back up, thus resetting the SA.
  I'm needing to understand how to reduce or completely eliminate the replay errors.  I've read something about increasing the replay window size, but don't have a clue where to start.  What is the best way to fix this without disabling replay checking?  Or, since the VPN head-ends and spoke routers only have static routes established across the Internet to each other, is replay checking even necessary or desired?
  Thanks in advance!
  Paul WIshart

  Adam,
  I don't have a resolution yet, so I opened a TAC case last Saturday.  I'll keep you posted on this forum.

• Which encryption method is the best way to secure the data tranfer

  Hi ,
  I want to configure the Encryption between two cisco Wan routers(3845 & 3825).
  We use 50MB leased line connection and transfer the data. I also configured the QOS to limit the data transfer rate to 20MB on the same pipe and it's working fine.We also use the same pipe for trading purpose too. That's why I limit 20MB for data(copy) transfer between two hosts.
  Which encryption method should I use to secure the data transfer?
  Plese kinldy advise .
  Thanks,

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  I would recommend AES256.
  I would also recommend a VTI tunnel vs. GRE/IPSec.  However, both, depending on your IOS, should support AES256.
  Encryption will demand more from your routers.  I think the 3845 should be able to support 20 Mbps encrypted, not as sure about the 3825.  (BTW, if you have 50 Mbps LL, why are you limited transfer rate to 20 Mbps?)
  Also BTW, there's much involved in setting up encrypted tunnels for optimal performance.  Also see: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

• VTI vs GRE Tunnels

  Could someone please point me towards a document which fully explains the pros and cons of VTI against GRE?

  There was ask the expert conversation about VTI
  check this answer from Sunil Cherukuri CISCO VPN expert
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.1ddaee26/3#selected_message
  M.
  Hope that helps rate if it does