Anda di halaman 1dari 52

IPsec Virtual Tunnel Interface

First Published: October 18, 2004 Last Updated: August 1, 2006

IP security (IPsec) virtual tunnel interfaces (VTIs) provide a routable interface type for terminating IPsec tunnels and an easy way to define protection between sites to form an overlay network. IPsec VTIs simplify configuration of IPsec for protection of remote links, support multicast, and simplify network management and load balancing.
Finding Feature Information in This Module

Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the Feature Information for IPsec Virtual Tunnel Interfaces section on page 49.
Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Restrictions for IPsec Virtual Tunnel Interface, page 2 Information About IPsec Virtual Tunnel Interfaces, page 2 How to Configure IPsec Virtual Tunnel Interfaces, page 8 Configuration Examples for IPsec Virtual Tunnel Interfaces, page 13 Additional References, page 26 Command Reference, page 27 Feature Information for IPsec Virtual Tunnel Interfaces, page 49

Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Copyright 2005, 2006 Cisco Systems, Inc. All rights reserved.

IPsec Virtual Tunnel Interface Restrictions for IPsec Virtual Tunnel Interface

Restrictions for IPsec Virtual Tunnel Interface


IPsec Transform Set

The IPsec transform set must be configured in tunnel mode only.


IKE Security Association

The Internet Key Exchange (IKE) security association (SA) is bound to the VTI. Because IKE SA is bound to the VTI, the same IKE SA cannot be used for a crypto map.
Proxy

Static VTIs support only IP ANY ANY proxies. Only one proxy is supported with VTI. Dynamic VTIs, on the other hand, support more than one proxy.
QoS Traffic Shaping

The shaped traffic is process switched.


Stateful Failover

IPsec stateful failover is not supported with IPsec VTIs.


Tunnel Protection

The shared keyword is not required and must not be configured when using the tunnel mode ipsec ipv4 command for IPsec IPv4 mode.
Static VTIs Versus GRE Tunnels

The IPsec VTI is limited to IP unicast and multicast traffic only, as opposed to GRE tunnels, which have a wider application for IPsec implementation.
VRF-Aware IPsec Configuration

In VRF-aware IPsec configurations with either static or dynamic VTIs (DVTIs), the VRF must not be configured in the Internet Security Association and Key Management Protocol (ISAKMP) profile. Instead, the VRF must be configured on the tunnel interface for static VTIs. For DVTIs, you must apply VRF to the vtemplate using the ip vrf forwarding command.

Information About IPsec Virtual Tunnel Interfaces


The use of IPsec VTIs both greatly simplifies the configuration process when you need to provide protection for remote access and provides a simpler alternative to using generic routing encapsulation (GRE) or Layer 2 Tunneling Protocol (L2TP) tunnels for encapsulation and crypto maps with IPsec. A major benefit associated with IPsec VTIs is that the configuration does not require a static mapping of IPsec sessions to a physical interface. The IPsec tunnel endpoint is associated with an actual (virtual) interface. Because there is a routable interface at the tunnel endpoint, many common interface capabilities can be applied to the IPsec tunnel. The IPsec VTI allows for the flexibility of sending and receiving both IP unicast and multicast encrypted traffic on any physical interface, such as in the case of multiple paths. Traffic is encrypted or decrypted when it is forwarded from or to the tunnel interface and is managed by the IP routing table. Dynamic or static IP routing can be used to route the traffic to the virtual interface. Using IP routing to forward the

Cisco IOS Release: Multiple releases (see the Feature Information table)

IPsec Virtual Tunnel Interface Information About IPsec Virtual Tunnel Interfaces

traffic to the tunnel interface simplifies the IPsec VPN configuration compared to the more complex process of using access control lists (ACLs) with the crypto map in native IPsec configurations. DVTIs function like any other real interface so that you can apply quality of service (QoS), firewall, and other security services as soon as the tunnel is active. Without Virtual Private Network (VPN) Acceleration Module2+ (VAM2+) accelerating virtual interfaces, the packet traversing an IPsec virtual interface is directed to the router processor (RP) for encapsulation. This method tends to be slow and has limited scalability. In hardware crypto mode, all the IPsec VTIs are accelerated by the VAM2+ crypto engine, and all traffic going through the tunnel is encrypted and decrypted by the VAM2+. The following sections provide details about the IPsec VTI:

Benefits of Using IPsec Virtual Tunnel Interfaces, page 3 Routing with IPsec Virtual Tunnel Interfaces, page 3 Static Virtual Tunnel Interfaces, page 4 Dynamic Virtual Tunnel Interfaces, page 4 Dynamic Virtual Tunnel Interface Life Cycle, page 5 Traffic Encryption with the IPsec Virtual Tunnel Interface, page 5 Per-User Attribute Support for Easy VPN Servers, page 7

Benefits of Using IPsec Virtual Tunnel Interfaces


IPsec VTIs allow you to configure a virtual interface to which you can apply features. Features for clear-text packets are configured on the VTI. Features for encrypted packets are applied on the physical outside interface.When IPsec VTIs are used, you can separate the application of features such as NAT, ACLs, and QoS and apply them to clear-text or encrypted text, or both. When crypto maps are used, there is no simple way to apply encryption features to the IPsec tunnel.

Routing with IPsec Virtual Tunnel Interfaces


Because VITs are routable interfaces, routing plays an important role in the encryption process. Traffic is encrypted only if it is forwarded out of the VTI, and traffic arriving on the VTI is decrypted and is routed accordingly. VTIs allow you to establish an encryption tunnel using a real interface as the tunnel endpoint. You can route to the interface or apply services such as QoS, firewalls, network address translation, and Netflow statistics as you would to any other interface. You can monitor the interface, route to it, and it has an advantage over crypto maps because it is a real interface and provides the benefits of any other regular Cisco IOS interface. In addition, the VTI encrypts traffic that is sent to it. You can enable routing protocols on the tunnel interface so that routing information can be propagated over the virtual tunnel. The router can establish neighbor relationships over the VTI. Multicast packets can be encrypted, and interoperability with standard-based IPsec installations is possible because the static IPsec VTI will negotiate and accept permit IP ANY ANY proxies. There are two types of VTI interfaces: static VTI (SVTIs) and dynamic VTI (DVTIs).

Cisco IOS Release: Multiple releases (see the Feature Information table)

IPsec Virtual Tunnel Interface Information About IPsec Virtual Tunnel Interfaces

Static Virtual Tunnel Interfaces


SVTI configurations can be used for site-to-site connectivity in which a tunnel provides always-on access between two sites. The advantage of using SVTIs as opposed to crypto map configurations is that users can enable dynamic routing protocols on the tunnel interface without the extra 4 bytes required for GRE headers, thus reducing the bandwidth for sending encrypted data. Additionally, multiple Cisco IOS software features can be configured directly on the tunnel interface and on the physical egress interface of the tunnel interface. This direct configuration allows users to have solid control on the application of the features in the pre- or post-encryption path. Figure 1 illustrates how a static VTI is used.
Figure 1 IPsec Static VTI

192.168.2.0/24 .1 192.168.1.0/24 .1 192.168.100.0/30 Tunnel 0 192.168.2.0/24 .1 .2

The IPsec VTI supports native IPsec tunneling and exhibits most of the properties of a physical interface.

Dynamic Virtual Tunnel Interfaces


DVTIs can provide highly secure and scalable connectivity for remote-access VPNs. The DVTI technology replaces dynamic crypto maps and the dynamic hub-and-spoke method for establishing tunnels. Dynamic VTIs can be used for both the server and remote conguration. The tunnels provide an on-demand separate virtual access interface for each VPN session. The configuration of the virtual access interfaces is cloned from a virtual template configuration, which includes the IPsec configuration and any Cisco IOS software feature configured on the virtual template interface, such as QoS, NetFlow, or ACLs. DVTIs function like any other real interface so that you can apply QoS, firewall, other security services as soon as the tunnel is active. QoS features can be used to improve the performance of various applications across the network. Any combination of QoS features offered in Cisco IOS software can be used to support voice, video, or data applications. Dynamic VTIs provide efficiency in the use of IP addresses and provide secure connectivity. Dynamic VTIs allow dynamically downloadable per-group and per-user policies to be configured on a RADIUS server. The per-group or per-user definition can be created using extended authentication (Xauth) User or Unity group, or it can be derived from a certificate. Dynamic VTIs are standards based, so interoperability in a multiple-vendor environment is supported. IPsec dynamic VTIs allow you to create

Cisco IOS Release: Multiple releases (see the Feature Information table)

127961

IPsec Virtual Tunnel Interface Information About IPsec Virtual Tunnel Interfaces

highly secure connectivity for remote access VPNs and can be combined with Cisco Architecture for Voice, Video, and Integrated Data (AVVID) to deliver converged voice, video, and data over IP networks. The dynamic VTI simplifies Virtual Private Network (VRF) routing and forwarding- (VRF-) aware IPsec deployment. The VRF is configured on the interface. A dynamic VTI requires minimal configuration on the router. A single virtual template can be configured and cloned. The dynamic VTI creates an interface for IPsec sessions and uses the virtual template infrastructure for dynamic instantiation and management of dynamic IPsec VTIs. The virtual template infrastructure is extended to create dynamic virtual-access tunnel interfaces. Dynamic VTIs are used in hub-and-spoke configurations. A single dynamic VTI can support several static VTIs. Decisions are made through routing updates. Figure 2 illustrates the dynamic VTI authentication path.
Figure 2 Dynamic IPsec VTI

User 1 Remote LAN Bridge/ Router 1

Local authorization

auth Single User Client with ISDN Card ISDN Physical interface DSL 3 2

Virtual template interface 3

Virtual access interface


135632

Single User Client

Router

The authentication shown in Figure 2 follows this path:


1. 2. 3.

User 1 calls the router. Router 1 authenticates User 1. IPsec clones virtual access interface from virtual template interface.

Dynamic Virtual Tunnel Interface Life Cycle


IPsec profiles define policy for dynamic VTIs. The dynamic interface is created at the end of IKE Phase 1 and IKE Phase 1.5. The interface is deleted when the IPsec session to the peer is closed. The IPsec session is closed when both IKE and IPsec SAs to the peer are deleted.

Traffic Encryption with the IPsec Virtual Tunnel Interface


When an IPsec VTI is configured, encryption occurs in the tunnel. Traffic is encrypted when it is forwarded to the tunnel interface. Traffic forwarding is handled by the IP routing table, and dynamic or static IP routing can be used to route the traffic to the VTI. Using IP routing to forward the traffic to

Cisco IOS Release: Multiple releases (see the Feature Information table)

IPsec Virtual Tunnel Interface Information About IPsec Virtual Tunnel Interfaces

encryption simplifies the IPsec VPN configuration because the use of ACLs with a crypto map in native IPsec configurations is not required. The IPsec virtual tunnel also allows you to encrypt multicast traffic with IPsec. IPsec packet flow into the IPsec tunnel is illustrated in Figure 3.
Figure 3 Packet Flow into the IPsec Tunnel
4. Encrypted packets are passed out of the physical outside interface.

1. Clear-text IP packets enter the router.

Cisco IOS router

IP

Inside interface

Forwarding engine

Outside interface

Encryption 3. Encrypted packets are forwarded to the forwarding engine.

VTI 2. Packets are routed to virtual interface.


127959

Inside interface

Outside interface

After packets arrive on the inside interface, the forwarding engine switches the packets to the VTI, where they are encrypted. The encrypted packets are handed back to the forwarding engine, where they are switched through the outside interface. Figure 4 shows the packet flow out of the IPsec tunnel.

Cisco IOS Release: Multiple releases (see the Feature Information table)

IPsec Virtual Tunnel Interface Information About IPsec Virtual Tunnel Interfaces

Figure 4

Packet Flow out of the IPsec Tunnel


4. Clear text packets are passed through physical interface.

1.IPsec encrypted packets enter the router.

Cisco IOS router

IP

Inside interface

Forwarding engine IPsec decryption

Outside interface
127960

VTI 2. Forwarding engine determines it is a packet for us and sends it to IPsec for decryption.

Inside interface

Outside interface

3. IPsec decrypts the packets and associates to the VTI based on the SA information.

Per-User Attribute Support for Easy VPN Servers


The Per-User Attribute Support for Easy VPN Servers feature provides users with the ability to support per-user atttributes on Easy VPN servers. These attributes are applied on the virtual access interface.

Local Easy VPN AAA Server


For a local Easy VPN AAA server, the per-user attributes can be applied at the group level or at the user level using the command-line interface (CLI). To configure per-user attributes for a local Easy VPN server, see Configuring Per-User Attributes on a Local Easy VPN AAA Server.

Remote Easy VPN AAA Server


Attribute value (AV) pairs can be defined on a remote Easy VPN AAA server as shown in this example: cisco-avpair = ip:outacl#101=permit tcp any any established

Per-User Attributes
The following per-user attributes are currently defined in the AAA server and are applicable to IPsec:

inacl interface-config outacl route rte-fltr-in

Cisco IOS Release: Multiple releases (see the Feature Information table)

IPsec Virtual Tunnel Interface How to Configure IPsec Virtual Tunnel Interfaces

rte-fltr-out sub-policy-In sub-policy-Out policy-route prefix

How to Configure IPsec Virtual Tunnel Interfaces


Configuring Static IPsec Virtual Tunnel Interfaces, page 8 Configuring Dynamic IPsec Virtual Tunnel Interfaces, page 10 Configuring Per-User Attributes on a Local Easy VPN AAA Server, page 12

Configuring Static IPsec Virtual Tunnel Interfaces


This configuration shows how to configure a static IPsec VTI.

SUMMARY STEPS
1. 2. 3. 4. 5. 6. 7. 8. 9.

enable configure terminal crypto IPsec profile profile-name set transform-set transform-set-name interface type number ip address address mask tunnel mode ipsec ipv4 tunnel source interface tunnel destination ip-address

10. tunnel protection IPsec profile profile-name [shared]

Cisco IOS Release: Multiple releases (see the Feature Information table)

IPsec Virtual Tunnel Interface How to Configure IPsec Virtual Tunnel Interfaces

DETAILED STEPS
Command or Action
Step 1
enable

Purpose Enables privileged EXEC mode.

Enter your password if prompted.

Example:
Router> enable

Step 2

configure terminal

Enters global configuration mode.

Example:
Router# configure terminal

Step 3

crypto IPsec profile profile-name

Defines the IPsec parameters that are to be used for IPsec encryption between two IPsec routers.

Example:
Router(config)# crypto IPsec profile PROF

Step 4

set transform-set transform-set-name [transform-set-name2...transform-set-name6]

Specifies which transform sets can be used with the crypto map entry.

Example:
Router(config)# set transform-set tset

Step 5

interface type number

Specifies the interface on which the tunnel will be configured and enters interface configuration mode.

Example:
Router(config)# interface tunnel0

Step 6

ip address address mask

Specifies the IP address and mask.

Example:
Router(config-if)# ip address 10.1.1.1 255.255.255.0

Step 7

tunnel mode ipsec ipv4

Defines the mode for the tunnel.

Example:
Router(config-if)# tunnel mode ipsec ipv4

Step 8

tunnel source interface

Specifies the tunnel source as a loopback interface.

Example:
Router(config-if)# tunnel source loopback0

Cisco IOS Release: Multiple releases (see the Feature Information table)

IPsec Virtual Tunnel Interface How to Configure IPsec Virtual Tunnel Interfaces

Command or Action
Step 9
tunnel destination ip-address

Purpose Identifies the IP address of the tunnel destination.

Example:
Router(config-if)# tunnel destination 172.16.1.1

Step 10

tunnel protection IPsec profile profile-name [shared]

Associates a tunnel interface with an IPsec profile.

Example:
Router(config-if)# tunnel protection IPsec profile PROF

Configuring Dynamic IPsec Virtual Tunnel Interfaces


This task shows how to configure a dynamic IPsec VTI.

SUMMARY STEPS
1. 2. 3. 4. 5. 6. 7. 8. 9.

enable configure terminal crypto IPsec profile profile-name set transform-set transform-set-name interface virtual-template number tunnel mode mode tunnel protection IPsec profile profile-name [shared] exit crypto isakamp profile profile-name

10. virtual-template template-number

DETAILED STEPS
Command or Action
Step 1
enable

Purpose Enables privileged EXEC mode.

Enter your password if prompted.

Example:
Router> enable

Step 2

configure terminal

Enters global configuration mode.

Example:
Router# configure terminal

Cisco IOS Release: Multiple releases (see the Feature Information table)

10

IPsec Virtual Tunnel Interface How to Configure IPsec Virtual Tunnel Interfaces

Command or Action
Step 3
crypto IPsec profile profile-name

Purpose Defines the IPsec parameters that are to be used for IPsec encryption between two IPsec routers.

Example:
Router(config)# crypto IPsec profile PROF

Step 4

set transform-set transform-set-name [transform-set-name2...transform-set-name6]

Specifies which transform sets can be used with the crypto map entry.

Example:
Router(config)# set transform-set tset

Step 5

interface virtual-template number

Defines a virtual-template tunnel interface and enters interface configuration mode.

Example:
Router(config)# interface virtual-template 2

Step 6

tunnel mode ipsec ipv4

Defines the mode for the tunnel.

Example:
Router(config-if)# tunnel mode ipsec ipv4

Step 7

tunnel protection IPsec profile profile-name [shared]

Associates a tunnel interface with an IPsec profile.

Example:
Router(config-if)# tunnel protection IPsec profile PROF

Step 8

exit

Exits interface configuration mode.

Example:
Router(config-if)# exit

Step 9

crypto isakamp profile profile-name

Defines the ISAKAMP profile to be used for the virtual template.

Example:
Router(config)# crypto isakamp profile red

Step 10

virtual-template template-number

Specifies the virtual template attached to the ISAKAMP profile.

Example:
Router(config)# virtual-template 1

Cisco IOS Release: Multiple releases (see the Feature Information table)

11

IPsec Virtual Tunnel Interface How to Configure IPsec Virtual Tunnel Interfaces

Configuring Per-User Attributes on a Local Easy VPN AAA Server


To configure per-user attributes on a local Easy VPN AAA server, perform the following steps.

SUMMARY STEPS
1. 2. 3. 4. 5. 6. 7.

enable configure terminal aaa attribute list list-name attribute type name value [service service] [protocol protocol] exit crypto isakmp client configuration group group-name crypto aaa attribute list list-name

DETAILED STEPS
Command or Action
Step 1
enable

Purpose Enables privileged EXEC mode.

Enter your password if prompted.

Example:
Router> enable

Step 2

configure terminal

Enters global configuration mode.

Example:
Router# configure terminal

Step 3

aaa attribute list list-name

Defines a AAA attribute list locally on a router and enters attribute list configuration mode.

Example:
Router(config)# aaa attribute list list1

Step 4

attribute type name value [service service] [protocol protocol]

Defines an attribute type that is to be added to an attribute list locally on a router.

Example:
Router(config-attr-list)# attribute type attribute xxxx service ike protocol ip

Step 5

exit

Exits attribute list configuration mode.

Example:
Router(config-attr-list)# exit

Cisco IOS Release: Multiple releases (see the Feature Information table)

12

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces

Command or Action
Step 6
crypto isakmp client configuration group group-name

Purpose Specifies to which group a policy profile will be defined and enters ISAKMP group configuration mode.

Example:
Router (config)# crypto isakmp client configuration group group1

Step 7

crypto aaa attribute list list-name

Defines a AAA attribute list locally on a router.

Example:
Router (config-isakmp-group)# crypto aaa attribute list listname1

Configuration Examples for IPsec Virtual Tunnel Interfaces


The following examples are provided to illustrate configuration scenarios for IPsec VTIs:

Static Virtual Tunnel Interface with IPsec: Example, page 13 VRF-Aware Static Virtual Tunnel Interface: Example, page 16 Static Virtual Tunnel Interface with QoS: Example, page 17 Static Virtual Tunnel Interface with Virtual Firewall: Example, page 17 Dynamic Virtual Tunnel Interface Easy VPN Server: Example, page 19 Dynamic Virtual Tunnel Interface Easy VPN Client: Example, page 20 VRF-Aware IPsec with Dynamic VTI: Example, page 22 Dynamic Virtual Tunnel Interface with Virtual Firewall: Example, page 23 Dynamic Virtual Tunnel Interface with QoS: Example, page 24 Per-User Attributes on an Easy VPN Server: Example, page 24

Static Virtual Tunnel Interface with IPsec: Example


The following example configuration uses a preshared key for authentication between peers. VPN traffic is forwarded to the IPsec VTI for encryption and then sent out the physical interface. The tunnel on subnet 10 checks packets for IPsec policy and passes them to the Crypto Engine (CE) for IPsec encapsulation. Figure 5 illustrates the IPsec VTI configuration.
Figure 5 VTI with IPsec

10.0.35.21

10.0.149.203 Internet VPN tunnel

10.0.149.217

10.0.36.21

Server 1

C7206-3 Tunnel 0 Tunnel subnet Tunnel 0 10.0.51.0

C1750-17

Server 2
127943

Cisco IOS Release: Multiple releases (see the Feature Information table)

13

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces

C7206 Router Configuration


version 12.3 service timestamps debug datetime service timestamps log datetime hostname 7200-3 no aaa new-model ip subnet-zero ip cef controller ISA 6/1 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0 crypto IPsec transform-set T1 esp-3des esp-sha-hmac crypto IPsec profile P1 set transform-set T1 !

interface Tunnel0 ip address 10.0.51.203 255.255.255.0 ip ospf mtu-ignore load-interval 30 tunnel source 10.0.149.203 tunnel destination 10.0.149.217 tunnel mode IPsec ipv4 tunnel protection IPsec profile P1 ! interface Ethernet3/0 ip address 10.0.149.203 255.255.255.0 duplex full ! interface Ethernet3/3 ip address 10.0.35.203 255.255.255.0 duplex full ! ip classless ip route 10.0.36.0 255.255.255.0 Tunnel0 line con 0 line aux 0 line vty 0 4 end

C1750 Router Configuration


version 12.3 hostname c1750-17 no aaa new-model ip subnet-zero ip cef crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0 crypto IPsec transform-set T1 esp-3des esp-sha-hmac crypto IPsec profile P1 set transform-set T1

Cisco IOS Release: Multiple releases (see the Feature Information table)

14

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces

! interface Tunnel0 ip address 10.0.51.217 255.255.255.0 ip ospf mtu-ignore tunnel source 10.0.149.217 tunnel destination 10.0.149.203 tunnel mode ipsec ipv4 tunnel protection ipsec profile P1 ! interface FastEthernet0/0 ip address 10.0.149.217 255.255.255.0 speed 100 full-duplex ! interface Ethernet1/0 ip address 10.0.36.217 255.255.255.0 load-interval 30 full-duplex !

ip classless ip route 10.0.35.0 255.255.255.0 Tunnel0 line con 0 line aux 0 line vty 0 4 end

Verifying the Results for the IPsec Static Virtual Tunnel Interface: Example
This section provides information that you can use to confirm that your configuration is working properly. In this display, Tunnel 0 is up, and the line protocol is up. If the line protocol is down, the session is not active.
Verifying the C7206 Status
Router# show interface tunnel 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 10.0.51.203/24 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 103/255, rxload 110/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 10.0.149.203, destination 10.0.149.217 Tunnel protocol/transport IPsec/IP, key disabled, sequencing disabled Tunnel TTL 255 Checksumming of packets disabled, fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPsec (profile "P1") Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 30 second input rate 13000 bits/sec, 34 packets/sec 30 second output rate 36000 bits/sec, 34 packets/sec 191320 packets input, 30129126 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

Cisco IOS Release: Multiple releases (see the Feature Information table)

15

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 59968 packets output, 15369696 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out Router# show crypto session Crypto session current status Interface: Tunnel0 Session status: UP-ACTIVE Peer: 10.0.149.217 port 500 IKE SA: local 10.0.149.203/500 remote 10.0.149.217/500 Active IPsec FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 4, origin: crypto map Router# show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.0.35.0/24 is directly connected, Ethernet3/3 S 10.0.36.0/24 is directly connected, Tunnel0 C 10.0.51.0/24 is directly connected, Tunnel0 C 10.0.149.0/24 is directly connected, Ethernet3/0

VRF-Aware Static Virtual Tunnel Interface: Example


To add VRF to the static VTI example, include the ipvrf and ip vrf forwarding commands to the configuration as shown in the following example.
C7206 Router Configuration
hostname c7206 . . ip vrf sample-vti1 rd 1:1 route-target export 1:1 route-target import 1:1 ! . . interface Tunnel0 ip vrf forwarding sample-vti1 ip address 10.0.51.217 255.255.255.0 tunnel source 10.0.149.217 tunnel destination 10.0.149.203 tunnel mode ipsec ipv4 tunnel protection ipsec profile P1 . . ! end

Cisco IOS Release: Multiple releases (see the Feature Information table)

16

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces

Static Virtual Tunnel Interface with QoS: Example


You can apply any QoS policy to the tunnel endpoint by including the service-policy statement under the tunnel interface. The following example is policing traffic out the tunnel interface.
C7206 Router Configuration
hostname c7206 . . class-map match-all VTI match any ! policy-map VTI class VTI police cir 2000000 conform-action transmit exceed-action drop ! . . interface Tunnel0 ip address 10.0.51.217 255.255.255.0 tunnel source 10.0.149.217 tunnel destination 10.0.149.203 tunnel mode ipsec ipv4 tunnel protection ipsec profile P1 service-policy output VTI ! . . ! end

Static Virtual Tunnel Interface with Virtual Firewall: Example


Applying the virtual firewall to the static VTI tunnel allows traffic from the spoke to pass through the hub to reach the internet. Figure 6 illustrates a static VTI with the spoke protected inherently by the corporate firewall.

Cisco IOS Release: Multiple releases (see the Feature Information table)

17

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces

Figure 6

Static VTI with Virtual Firewall


Virtual Firewall

Web Server Internet

C7206 Private Network 10.0.149.203 10.0.149.217

10.0.51.217

The basic static VTI configuration has been modified to include the virtual firewall definition.
C7206 Router Configuration
hostname c7206 . . ip inspect max-incomplete high 1000000 ip inspect max-incomplete low 800000 ip inspect one-minute high 1000000 ip inspect one-minute low 800000 ip inspect tcp synwait-time 60 ip inspect tcp max-incomplete host 100000 block-time 2 ip inspect name IOSFW1 tcp timeout 300 ip inspect name IOSFW1 udp ! . . interface GigabitEthernet0/1 description Internet Connection ip address 172.18.143.246 255.255.255.0 ip access-group 100 in ip nat outside ! interface Tunnel0 ip address 10.0.51.217 255.255.255.0 ip nat inside ip inspect IOSFW1 in tunnel source 10.0.149.217 tunnel destination 10.0.149.203 tunnel mode ipsec ipv4 tunnel protection ipsec profile P1 ! ip classless ip route 0.0.0.0 0.0.0.0 172.18.143.1 ! ip nat translation timeout 120 ip nat translation finrst-timeout 2 ip nat translation max-entries 300000 ip nat pool test1 10.2.100.1 10.2.100.50 netmask 255.255.255.0 ip nat inside source list 110 pool test1 vrf test-vti1 overload ! access-list 100 permit esp any any access-list 100 permit udp any eq isakmp any

Cisco IOS Release: Multiple releases (see the Feature Information table)

18

170138

10.0.51.203

c1750

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces

access-list access-list access-list access-list access-list access-list ! end

100 100 110 110 110 110

permit permit deny deny permit deny

udp any eq non500-isakmp any icmp any any esp any any udp any eq isakmp any ip any any udp any eq non500-isakmp any

Dynamic Virtual Tunnel Interface Easy VPN Server: Example


The following example illustrates the use of the DVTI Easy VPN server, which serves as an IPsec remote access aggregator. The client can be a home user running a Cisco VPN client or it can be a Cisco IOS router configured as an Easy VPN client.
C7206 Router Configuration
hostname c7206 ! aaa new-model aaa authentication login local_list local aaa authorization network local_list local aaa session-id common ! ip subnet-zero ip cef ! username cisco password 0 cisco123 ! controller ISA 1/1 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group group1 key cisco123 pool group1pool save-password ! crypto isakmp profile vpn1-ra match identity group group1 client authentication list local_list isakmp authorization list local_list client configuration address respond virtual-template 1 ! crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac ! crypto ipsec profile test-vti1 set transform-set VTI-TS ! interface GigabitEthernet0/1 description Internet Connection ip address 172.18.143.246 255.255.255.0 ! interface GigabitEthernet0/2 description Internal Network ip address 10.2.1.1 255.255.255.0 !

Cisco IOS Release: Multiple releases (see the Feature Information table)

19

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces

interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1 ! ip local pool group1pool 192.168.1.1 192.168.1.4 ip classless ip route 0.0.0.0 0.0.0.0 172.18.143.1 ! end

Verifying the Results for the Dynamic Virtual Tunnel Interface Easy VPN Server: Example
The following examples show that a dynamic VTI has been configured for an Easy VPN server.
Router# show running-config interface Virtual-Access2 Building configuration... Current configuration : 250 bytes ! interface Virtual-Access2 ip unnumbered Loopback0 ip virtual-reassembly tunnel source 172.18.143.246 tunnel destination 172.18.143.208 tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1 no tunnel protection ipsec initiate end Router# show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.2.1.10 to network 0.0.0.0 172.18.0.0/24 is subnetted, 1 subnets 172.18.143.0 is directly connected, GigabitEthernet0/1 192.168.1.0/32 is subnetted, 1 subnets 192.168.1.1 [1/0] via 0.0.0.0, Virtual-Access2 10.0.0.0/24 is subnetted, 1 subnets 10.2.1.0 is directly connected, GigabitEthernet0/2 0.0.0.0/0 [1/0] via 172.18.143.1

C S C S*

Dynamic Virtual Tunnel Interface Easy VPN Client: Example


The following example shows how you can set up a router as the Easy VPN client. This example uses basically the same idea as the Easy VPN client that you can run from a PC to connect. In fact, the configuration of the Easy VPN server will work for the software client or the Cisco IOS client.
hostname c1841 !

Cisco IOS Release: Multiple releases (see the Feature Information table)

20

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces

no aaa new-model ! ip cef ! username cisco password 0 cisco123 ! crypto ipsec client ezvpn CLIENT connect manual group group1 key cisco123 mode client peer 172.18.143.246 virtual-interface 1 username cisco password cisco123 xauth userid mode local ! interface Loopback0 ip address 10.1.1.1 255.255.255.255 ! interface FastEthernet0/0 description Internet Connection ip address 172.18.143.208 255.255.255.0 crypto ipsec client ezvpn CLIENT ! interface FastEthernet0/1 ip address 10.1.1.252 255.255.255.0 crypto ipsec client ezvpn CLIENT inside ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ! ip route 0.0.0.0 0.0.0.0 172.18.143.1 ! end

The client definition can be set up in many different ways. The mode specified with the connect command can be automatic or manual. If the connect mode is set to manual, the IPsec tunnel has to be initiated manually by a user. Also note use of the mode command. The mode can be client, network-extension, or network-extension-plus. This example indicates client mode, which means that the client is given a private address from the server. Network-extension mode is different from client mode in that the client specifies for the server its attached private subnet. Depending on the mode, the routing table on either end will be slightly different. The basic operation of the IPSec tunnel remains the same, regardless of the specified mode.

Verifying the Results for the Dynamic Virtual Tunnel Interface Easy VPN Client: Example
The following examples illustrate different ways to display the status of the DVTI.
Router# show running-config interface Virtual-Access2 Building configuration... Current configuration : 148 bytes ! interface Virtual-Access2 ip unnumbered Loopback1 tunnel source FastEthernet0/0 tunnel destination 172.18.143.246 tunnel mode ipsec ipv4 end

Cisco IOS Release: Multiple releases (see the Feature Information table)

21

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces

Router# show running-config interface Loopback1 Building configuration... Current configuration : 65 bytes ! interface Loopback1 ip address 192.168.1.1 255.255.255.255 end Router# show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 172.18.143.1 to network 0.0.0.0 10.0.0.0/32 is subnetted, 1 subnets 10.1.1.1 is directly connected, Loopback0 172.18.0.0/24 is subnetted, 1 subnets 172.18.143.0 is directly connected, FastEthernet0/0 192.168.1.0/32 is subnetted, 1 subnets 192.168.1.1 is directly connected, Loopback1 0.0.0.0/0 [1/0] via 172.18.143.1 [1/0] via 0.0.0.0, Virtual-Access2

C C C S*

Router# show crypto ipsec client ezvpn Easy VPN Remote Phase: 6 Tunnel name : CLIENT Inside interface list: FastEthernet0/1 Outside interface: Virtual-Access2 (bound to FastEthernet0/0) Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Address: 192.168.1.1 Mask: 255.255.255.255 Save Password: Allowed Current EzVPN Peer: 172.18.143.246

VRF-Aware IPsec with Dynamic VTI: Example


This example shows how to configure VRF-Aware IPsec to take advantage of the dynamic VTI:
hostname c7206 . . ip vrf test-vti1 rd 1:1 route-target export 1:1 route-target import 1:1 ! . . interface Virtual-Template1 type tunnel ip vrf forwarding test-vti1

Cisco IOS Release: Multiple releases (see the Feature Information table)

22

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces

ip unnumbered Loopback0 ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1 ! . . end

Dynamic Virtual Tunnel Interface with Virtual Firewall: Example


The DVTI Easy VPN server can be configured behind a virtual firewall. Behind-the-firewall configuration allows users to enter the network, while the network firewall is protected from unauthorized access. The virtual firewall uses Context-Based Access Control (CBAC) and NAT applied to the Internet interface as well as to the virtual template.
hostname c7206 . . ip inspect max-incomplete high 1000000 ip inspect max-incomplete low 800000 ip inspect one-minute high 1000000 ip inspect one-minute low 800000 ip inspect tcp synwait-time 60 ip inspect tcp max-incomplete host 100000 block-time 2 ip inspect name IOSFW1 tcp timeout 300 ip inspect name IOSFW1 udp ! . . interface GigabitEthernet0/1 description Internet Connection ip address 172.18.143.246 255.255.255.0 ip access-group 100 in ip nat outside ! interface GigabitEthernet0/2 description Internal Network ip address 10.2.1.1 255.255.255.0 ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip nat inside ip inspect IOSFW1 in tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1 ! ip classless ip route 0.0.0.0 0.0.0.0 172.18.143.1 ! ip nat translation timeout 120 ip nat translation finrst-timeout 2 ip nat translation max-entries 300000 ip nat pool test1 10.2.100.1 10.2.100.50 netmask 255.255.255.0 ip nat inside source list 110 pool test1 vrf test-vti1 overload ! access-list 100 permit esp any any access-list 100 permit udp any eq isakmp any access-list 100 permit udp any eq non500-isakmp any access-list 100 permit icmp any any

Cisco IOS Release: Multiple releases (see the Feature Information table)

23

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces

access-list access-list access-list access-list ! end

110 110 110 110

deny deny permit deny

esp any any udp any eq isakmp any ip any any udp any eq non500-isakmp any

Dynamic Virtual Tunnel Interface with QoS: Example


You can add QoS to the DVTI tunnel by applying the service policy to the virtual template. When the template is cloned to make the virtual-access interface, the service policy will be applied there. The following example shows the basic DVTI configuration with QoS added.
hostname c7206 . . class-map match-all VTI match any ! policy-map VTI class VTI police cir 2000000 conform-action transmit exceed-action drop ! . . interface Virtual-Template1 type tunnel ip vrf forwarding test-vti1 ip unnumbered Loopback0 ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1 service-policy output VTI ! . . ! end

Per-User Attributes on an Easy VPN Server: Example


The following example shows that per-user attributes have been configured on an Easy VPN server.
! aaa new-model ! ! aaa authentication login default local aaa authentication login noAAA none aaa authorization network default local ! aaa attribute list per-group attribute type inacl "per-group-acl" service ike protocol ip mandatory ! aaa session-id common ! resource policy

Cisco IOS Release: Multiple releases (see the Feature Information table)

24

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces

! ip subnet-zero ! ! ip cef ! ! username example password 0 example ! ! crypto isakmp policy 3 authentication pre-share group 2 crypto isakmp xauth timeout 90 ! crypto isakmp client configuration group PerUserAAA key cisco pool dpool crypto aaa attribute list per-group ! crypto isakmp profile vi match identity group PerUserAAA isakmp authorization list default client configuration address respond client configuration group PerUserAAA virtual-template 1 ! ! crypto ipsec transform-set set esp-3des esp-sha-hmac ! crypto ipsec profile vi set transform-set set set isakmp-profile vi ! ! interface GigabitEthernet0/0 description 'EzVPN Peer' ip address 192.168.1.1 255.255.255.128 duplex full speed 100 media-type rj45 no negotiation auto ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto media-type rj45 no negotiation auto interface Virtual-Template1 type tunnel ip unnumbered GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile vi ! ip local pool dpool 10.5.0.1 10.5.0.10 ip classless ! no ip http server no ip http secure-server ! ! ip access-list extended per-group-acl

Cisco IOS Release: Multiple releases (see the Feature Information table)

25

IPsec Virtual Tunnel Interface Additional References

permit tcp any any deny icmp any any logging alarm informational logging trap debugging ! control-plane ! gatekeeper shutdown ! line con 0 line aux 0 stopbits 1 line vty 0 4 ! ! end

Additional References
The following sections provide references related to IPsec virtual tunnel interface.

Related Documents
Related Topic IPsec, security issues Security commands VPN configuration Document Title Cisco IOS Security Configuration Guide Cisco IOS Security Command Reference Cisco IOS Easy VPN Server Cisco IOS Easy VPN Remote

Standards
Standard No new or modied standards are supported by this feature, and support for existing standards has not been modied by this feature. Title

MIBs
MIB No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. MIBs Link To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

Cisco IOS Release: Multiple releases (see the Feature Information table)

26

IPsec Virtual Tunnel Interface Command Reference

RFCs
RFC RFC 2401 RFC 2408 RFC 2409 Title Security Architecture for the Internet Protocol Internet Security Association and Key Management Protocol The Internet Key Exchange (IKE)

Technical Assistance
Description Link The Cisco Technical Support & Documentation http://www.cisco.com/techsupport website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, tools, and technical documentation. Registered Cisco.com users can log in from this page to access even more content.

Command Reference
This section documents the following new and modified commands only.

crypto aaa attribute list crypto isakmp client configuration group show vtemplate interface virtual-template tunnel mode tunnel mode virtual-template

Cisco IOS Release: Multiple releases (see the Feature Information table)

27

IPsec Virtual Tunnel Interface crypto aaa attribute list

crypto aaa attribute list


To define an authentication, authorization, and accounting (AAA) attribute list of per-user attributes on a local Easy VPN server, use the crypto aaa attribute list command in crypto isakmp group configuration mode. To remove the AAA attribute list, use the no form of this command. crypto aaa attribute list list-name no crypto aaa attribute list list-name

Syntax Description

list-name

Name of the local attribute list.

Command Default

A local attribute list is not defined.

Command Modes

Crypto isakmp group configuration

Command History

Release 12.4(9)T

Modification This command was introduced.

Usage Guidelines

There is no limit to the number of lists that can be defined (except for NVRAM storage limits).

Examples

The following example shows that per-user attributes have been defined on a local Easy VPN AAA server:
! aaa new-model ! ! aaa authentication login default local aaa authentication login noAAA none aaa authorization network default local ! aaa attribute list per-group attribute type inacl "per-group-acl" service ike protocol ip mandatory ! aaa session-id common ! resource policy ! ip subnet-zero ! ! ip cef ! ! username example password 0 example !

Cisco IOS Release: Multiple releases (see the Feature Information table)

28

IPsec Virtual Tunnel Interface crypto aaa attribute list

! crypto isakmp policy 3 authentication pre-share group 2 crypto isakmp xauth timeout 90 ! crypto isakmp client configuration group PerUserAAA key cisco pool dpool crypto aaa attribute list per-group ! crypto isakmp profile vi match identity group PerUserAAA isakmp authorization list default client configuration address respond client configuration group PerUserAAA virtual-template 1 ! ! crypto ipsec transform-set set esp-3des esp-sha-hmac ! crypto ipsec profile vi set transform-set set set isakmp-profile vi ! ! interface GigabitEthernet0/0 description 'EzVPN Peer' ip address 192.168.1.1 255.255.255.128 duplex full speed 100 media-type rj45 no negotiation auto ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto media-type rj45 no negotiation auto interface Virtual-Template1 type tunnel ip unnumbered GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile vi ! ip local pool dpool 10.5.0.1 10.5.0.10 ip classless ! no ip http server no ip http secure-server ! ! ip access-list extended per-group-acl permit tcp any any deny icmp any any logging alarm informational logging trap debugging ! control-plane ! gatekeeper shutdown

Cisco IOS Release: Multiple releases (see the Feature Information table)

29

IPsec Virtual Tunnel Interface crypto aaa attribute list

! line con 0 line aux 0 stopbits 1 line vty 0 4 ! ! end

Related Commands

Command crypto isakmp client configuration group

Description Specifies to which group a policy profile will be defined.

Cisco IOS Release: Multiple releases (see the Feature Information table)

30

IPsec Virtual Tunnel Interface crypto isakmp client configuration group

crypto isakmp client configuration group


To specify to which group a policy profile will be defined and to enter crypto ISAKMP group configuration mode, use the crypto isakmp client configuration group command in global configuration mode. To remove this command and all associated subcommands from your configuration, use the no form of this command. crypto isakmp client configuration group {group-name | default} no crypto isakmp client configuration group

Syntax Description

group-name default

Group definition that identifies which policy is enforced for users. Policy that is enforced for all users who do not offer a group name that matches a group-name argument. The default keyword can only be configured locally.

Command Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release 12.2(8)T 12.3(2)T

Modification This command was introduced. The access-restrict, firewall are-u-there, group-lock, include-local-lan, and save-password commands were added. These commands are added during Mode Configuration. In addition, this command was modified so that output for this command will show that the preshared key is either encrypted or unencrypted. The backup-gateway, max-logins, max-users, and pfs commands were added. This command was integrated into Cisco IOS Release 12.2(18)SXD. The browser-proxy command was added. The firewall policy command was added. This command was integrated into Cisco IOS Release 12.2(33)SRA. The crypto aaa attribute list, dhcp-server and dhcp-timeout commands were added.

12.3(4)T 12.2(18)SXD 12.4(2)T 12.4(6)T 12.2(33)SRA 12.4(9)T

Usage Guidelines

Use the crypto isakmp client configuration group command to specify group policy information that needs to be defined or changed. You may wish to change the group policy on your router if you decide to connect to the client using a group ID that does not match the group-name argument.

Cisco IOS Release: Multiple releases (see the Feature Information table)

31

IPsec Virtual Tunnel Interface crypto isakmp client configuration group

After enabling this command, which puts you in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode, you can specify characteristics for the group policy using the following commands:

access-restrictTies a particular Virtual Private Network (VPN) group to a specific interface for access to the Cisco IOS gateway and the services it protects. aclConfigures split tunneling. auto-update-clientConfigures auto upgrade. backup-gatewayConfigures a server to push down a list of backup gateways to the client. These gateways are tried in order in the case of a failure of the previous gateway. The gateways may be specified using IP addresses or host names. bannerSpecifies a mode configuration banner. browser-proxyApplies a browser-proxy map to a group. configuration urlSpecifies on a server the URL an Easy VPN remote device must use to get a configuration in a Mode Configuration Exchange. configuration versionSpecifies on a server the version a Cisco Easy VPN remote device must use to get a particular configuration in a Mode Configuration Exchange. crypto aaa attribute listDefines a AAA attribute list of per-user attributes on a local Easy VPN server. dhcp serverConfigures multiple DHCP server entries. dhcp timeoutControls the wait time before the next DHCP server on the list is tried. dnsSpecifies the primary and secondary Domain Name Service (DNS) servers for the group. domainSpecifies group domain membership. firewall are-u-thereAdds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls. firewall policySpecifies the CPP firewall policy push name for the crypto ISAKMP client configuration group on a local AAA server. group-lockUse if preshared key authentication is used with Internet Key Exchange (IKE). Allows you to enter your extended authentication (Xauth) username. The group delimiter is compared against the group identifier sent during IKE aggressive mode. include-local-lanConfigures the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client. keySpecifies the IKE preshared key when defining group policy information for Mode Configuration push. max-loginsLimits the number of simultaneous logins for users in a specific user group. max-usersLimits the number of connections to a specific server group. netmaskSubnet mask to be used by the client for local connectivity. pfsConfigures a server to notify the client of the central-site policy regarding whether PFS is required for any IPsec SA. Because the client device does not have a user interface option to enable or disable PFS negotiation, the server will notify the client device of the central site policy via this parameter. The Diffie-Hellman (D-H) group that is proposed for PFS will be the same that was negotiated in Phase 1 of the IKE negotiation. poolRefers to the IP local pool address used to allocate internal IP addresses to clients. save-passwordSaves your Xauth password locally on your PC.

Cisco IOS Release: Multiple releases (see the Feature Information table)

32

IPsec Virtual Tunnel Interface crypto isakmp client configuration group

split-dnsSpecifies a list of domain names that must be tunneled or resolved to the private network. winsSpecifies the primary and secondary Windows Internet Naming Service (WINS) servers for the group.

Output for the crypto isakmp client configuration group command (using the key subcommand) will show that the preshared key is either encrypted or unencrypted. An output example for an unencrypted preshared key would be as follows:
crypto isakmp client configuration group key test

An output example for a type 6 encrypted preshared key would be as follows:


crypto isakmp client configuration group key 6 JK_JHZPeJV_XFZTKCQFYAAB

Session Monitoring and Limiting for Easy VPN Clients

It is possible to mimic the functionality provided by some RADIUS servers for limiting the number of connections to a specific server group and also for limiting the number of simultaneous logins for users in that group. To limit the number of connections to a specific server group, use the max-users subcommand. To limit the number of simultaneous logins for users in the server group, use the max-logins subcommand. The following example shows the RADIUS attribute-value (AV) pairs for the maximum users and maximum logins parameters:
ipsec:max-users=1000 ipsec:max-logins=1

The max-users and max-logins commands can be enabled together or individually to control the usage of resources by any groups or individuals. If you use a RADIUS server, such as a CiscoSecure access control server (ACS), it is recommended that you enable this session control on the RADIUS server if the functionality is provided. In this way, usage can be controlled across a number of servers by one central repository. When enabling this feature on the router itself, only connections to groups on that specific device are monitored, and load-sharing scenarios are not accurately accounted for.

Examples

The following example shows how to define group policy information for Mode Configuration push. In this example, the first group name is cisco and the second group name is default. Thus, the default policy will be enforced for all users who do not offer a group name that matches cisco.
crypto isakmp client configuration group cisco key cisco dns 10.2.2.2 10.2.2.3 wins 10.6.6.6 domain cisco.com pool fred acl 199 ! crypto isakmp client configuration group default key cisco dns 10.2.2.2 10.3.2.3 pool fred acl 199

Related Commands

Cisco IOS Release: Multiple releases (see the Feature Information table)

33

IPsec Virtual Tunnel Interface crypto isakmp client configuration group

Command access-restrict acl backup-gateway browser-proxy crypto isakmp keepalive dns firewall are-u-there firewall policy group-lock include-local-lan key (isakmp-group) max-logins max-users pool (isakmp-group) save-password set aggressive-mode client-endpoint

Description Ties a particular VPN group to a specific interface for access to the Cisco IOS gateway and the services it protects. Configures split tunneling. Configures a server to push down a list of backup gateways to the client. Applies browser-proxy parameter settings to a group. Adds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls. Specifies the primary and secondary DNS servers. Adds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls. Specifies the CPP firewall policy push name for the crypto ISAKMP client configuration group on a local AAA server. Allows you to enter your Xauth username, including the group name, when preshared key authentication is used with IKE. Configures the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client. Specifies the IKE preshared key for Group-Policy attribute definition. Limits the number of simultaneous logins for users in a specific server group. Limits the number of connections to a specific server group. Defines a local pool address. Saves your Xauth password locally on your PC. Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration.

domain (isakmp-group) Specifies the DNS domain to which a group belongs.

Cisco IOS Release: Multiple releases (see the Feature Information table)

34

IPsec Virtual Tunnel Interface crypto isakmp profile

crypto isakmp profile


To define an Internet Security Association and Key Management Protocol (ISAKMP) profile and to audit IP security (IPsec) user sessions, use the crypto isakmp profile command in global configuration mode. To delete a crypto ISAKMP profile, use the no form of this command. crypto isakmp profile profile-name [accounting aaa-list] no crypto isakmp profile profile-name [accounting aaa-list]

Syntax Description

profile-name accounting aaa-list

Name of the user profile. To associate a user profile with the RADIUS server, the user profile name must be identified. (Optional) Name of a client accounting list.

Command Defaults

No profile exists if the command is not used.

Command Modes

Global configuration

Command History

Release 12.2(15)T 12.2(18)SXD 12.4(2)T 12.4(4)T 12.2(33)SRA

Modification This command was introduced. This command was integrated into Cisco IOS Release 12.2(18)SXD. Support for dynamic virtual tunnel interfaces was added. Support for IPv6 was added. This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

Defining an ISAKMP Profile

An ISAKMP profile can be viewed as a repository of Phase 1 and Phase 1.5 commands for a set of peers. The Phase 1 configuration includes commands to configure such things as keepalive, identity matching, and the authorization list. The Phase 1.5 configuration includes commands to configure such things as extended authentication (Xauth) and mode configuration. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. Also, there must be at least one match identity command defined in the ISAKMP profile for it to be complete. After enabling this command and entering ISAKMP profile configuration mode, you can configure the following commands:

accountingEnables authentication, authorization, and accounting (AAA) accounting. ca trust-pointSpecifies certificate authorities. clientSpecifies client configuration settings.

Cisco IOS Release: Multiple releases (see the Feature Information table)

35

IPsec Virtual Tunnel Interface crypto isakmp profile

defaultLists subcommands for the crypto isakmp profile command. descriptionSpecifies a description of this profile. initiate modeInitiates a mode. isakmp authorizationISAKMP authorization parameters. keepaliveSets a keepalive interval. keyringSpecifies a keyring. local-addressSpecifies the interface to use as the local address of this ISAKMP profile. matchMatches the values of the peer. qos-groupApplies a quality of service (QoS) policy class map for this profile. self-identitySpecifies the identity. virtual-templateSpecifies the virtual template for the dynamic interface. vrfSpecifies the Virtual Private Network routing and forwarding (VRF) instance to which the profile is related.

Auditing IPSec User Sessions

Use this command to audit multiple user sessions that are terminating on the IPSec gateway.

Note

The crypto isakmp profile command and the crypto map (global IPSec) command are mutually exclusive. If a profile is present (the crypto isakmp profile command has been used), with no accounting configured but with the global command present (the crypto isakmp profile command without the accounting keyword), accounting will occur using the attributes in the global command.
Dynamic Virtual Tunnel Interfaces

Support for dynamic virtual tunnel interfaces allows for the virtual profile to be mapped into a specified virtual template.

Examples

ISAKAMP Profile Matching Peer Identities Example

The following example shows how to define an ISAKMP profile and match the peer identities:
crypto isakmp profile vpnprofile match identity address 10.76.11.53

ISAKAMP Profile with Accounting Example

The following accounting example shows that an ISAKMP profile is configured:


aaa new-model ! ! aaa authentication login cisco-client group radius aaa authorization network cisco-client group radius aaa accounting network acc start-stop broadcast group radius aaa session-id common ! crypto isakmp profile cisco vrf cisco match identity group cclient client authentication list cisco-client

Cisco IOS Release: Multiple releases (see the Feature Information table)

36

IPsec Virtual Tunnel Interface crypto isakmp profile

isakmp authorization list cisco-client client configuration address respond accounting acc ! crypto dynamic-map dynamic 1 set transform-set aswan set isakmp-profile cisco reverse-route ! ! radius-server host 172.16.1.4 auth-port 1645 acct-port 1646 radius-server key nsite

Related Commands

Command crypto map (global IPsec)

Description Enters crypto map configuration mode and creates or modifies a crypto map entry, creates a crypto profile that provides a template for configuration of dynamically created crypto maps, or configures a client accounting list. Displays messages about IKE events. Matches an identity from a peer in an ISAKMP profile. Associates a tunnel interface with an IP Security (IPsec) profile. Specifies which virtual template to be used to clone virtual access interfaces.

debug crypto isakmp match identity tunnel protection virtual template

Cisco IOS Release: Multiple releases (see the Feature Information table)

37

IPsec Virtual Tunnel Interface interface virtual-template

interface virtual-template
To create a virtual template interface that can be configured and applied dynamically in creating virtual access interfaces, use the interface virtual-template command in global configuration mode. To remove a virtual template interface, use the no form of this command. interface virtual-template number no interface virtual-template number

Syntax Description

number

Number used to identify the virtual template interface. Up to 200 virtual template interfaces can be configured.

Command Default

No virtual template interface is defined.

Command Modes

Global configuration

Command History

Release 11.2F 12.2(4)T 12.2(28)SB 12.2(33)SRA

Modification This command was introduced. This command was enhanced to increase the maximum number of virtual template interfaces from 25 to 200. This command was integrated into Cisco IOS Release 12.2(28)SB. This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

A virtual template interface is used to provide the configuration for dynamically created virtual access interfaces. It is created by users and can be saved in NVRAM. After the virtual template interface is created, it can be configured in the same way as a serial interface. Virtual template interfaces can be created and applied by various applications such as virtual profiles, virtual private dialup networks (VPDNs), PPP over ATM, protocol translation, and Multichassis Multilink PPP (MMP).

Examples

Virtual Template with PPP Authentication Example

The following example creates and configures virtual template interface 1:


interface virtual-template 1 type ethernet ip unnumbered ethernet 0 ppp multilink ppp authentication chap

IPsec Virtual Template Example

The following example shows how to configure a virtual template for an IPsec virtual tunnel interface.
interface virtual-template1 type tunnel

Cisco IOS Release: Multiple releases (see the Feature Information table)

38

IPsec Virtual Tunnel Interface interface virtual-template

ip unnumbered Loopback1 tunnel mode ipsec ipv4 tunnel protection ipsec profile virtualtunnelinterface

Related Commands

Command tunnel protection virtual interface virtual template

Description Associates a tunnel interface with an IPsec profile. Sets the zone name for the connected AppleTalk network. Specifies the destination for a tunnel interface.

Cisco IOS Release: Multiple releases (see the Feature Information table)

39

IPsec Virtual Tunnel Interface show vtemplate

show vtemplate
To display information about all configured virtual templates, use the show vtemplate command in privileged EXEC mode. show vtemplate

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release 12.0(7)DC 12.2(13)T 12.3(14)T

Modification This command was introduced on the Cisco 6400 NRP. This command was integrated into Cisco IOS Release 12.2(13)T. The show display was modified to display the interface type of the virtual template and to provide counters on a per-interface-type basis for IPsec virtual tunnel interfaces. This comand was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SRA

Examples

The following is sample output from the show vtemplate command:


Router# show vtemplate Virtual access subinterface creation is globally enabled Active Active Subint Pre-clone Pre-clone Interface Interface Subinterface Capable Available Limit Type --------- ------------ ------- --------- --------- --------0 0 Yes --Serial 0 0 Yes --Serial 0 0 Yes --Serial 0 0 No --Tunnel 0 0 Yes --Ether 0 0 Yes --Serial 0 0 Yes --Serial

Vt1 Vt2 Vt4 Vt21 Vt22 Vt23 Vt24

Usage Summary Interface --------1 0 0 0 0 0 1 8 0 Subinterface -----------0 3 0 0 0 0 3 4 4

Current Current Current Current Current Current Total

Serial Serial Ether Ether Tunnel Tunnel

in use free in use free in use free

Cumulative created Cumulative freed Base virtual access interfaces: 1

Cisco IOS Release: Multiple releases (see the Feature Information table)

40

IPsec Virtual Tunnel Interface show vtemplate

Total create or clone requests: 0 Current request queue size: 0 Current free pending: 0 Maximum request duration: 0 msec Average request duration: 0 msec Last request duration: 0 msec Maximum processing duration: 0 msec Average processing duration: 0 msec Last processing duration: 0 msec Last processing duration:0 msec

Table 1 describes the significant fields shown in the example.


Table 1 show vtemplate Field Descriptions

Field Virtual access subinterface creation is globally... Active Interface Active Subinterface Subint Capable Pre-clone Available Pre-clone Limit Current in use Current free Total Cumulative created Cumulative freed Base virtual-access interfaces

Description The configured setting of the virtual-template command. Virtual access subinterface creation may be enabled or disabled. The number of virtual access interfaces that are cloned from the specified virtual template. The number of virtual access subinterfaces that are cloned from the specified virtual template. Specifies if the configuration of the virtual template is supported on the virtual access subinterface. The number of precloned virtual access interfaces currently available for use for the particular virtual template. The number of precloned virtual access interfaces available for that particular virtual template. The number of virtual access interfaces and subinterfaces that are currently in use. The number of virtual access interfaces and subinterfaces that are no longer in use. The total number of virtual access interfaces and subinterfaces that exist. The number of requests for a virtual access interface or subinterface that have been satisfied. The number of times that the application using the virtual access interface or subinterface has been freed. This field specifies the number of base virtual access interfaces. The base virtual access interface is used to create virtual access subinterfaces. There is one base virtual access interface per application that supports subinterfaces. A base virtual access interface can be identified from the output of the show interfaces virtual-access command. The number of requests that have been made through the asynchronous request API of the virtual template manager. The number of items in the virtual template manager work queue.

Total create or clone requests Current request queue size

Cisco IOS Release: Multiple releases (see the Feature Information table)

41

IPsec Virtual Tunnel Interface show vtemplate

Table 1

show vtemplate Field Descriptions (Continued)

Field Current free pending

Description The number of virtual access interfaces whose final freeing is pending. These virtual access interfaces cannot currently be freed because they are still in use. The maximum time that it took from the time that the asynchronous request was made until the application was notified that the request was done. The average time that it took from the time that the asynchronous request was made until the application was notified that the request was done. The time that it took from the time that the asynchronous request was made until the application was notified that the request was done for the most recent request. The maximum time that the virtual template manager spent satisfying the request. The average time that the virtual template manager spent satisfying the request. The time that the virtual template manager spent satisfying the request for the most recent request.

Maximum request duration

Average request duration

Last request duration

Maximum processing duration Average processing duration Last processing duration

Related Commands

Command show interfaces virtual-access virtual-template

Description Displays status, traffic data, and configuration information about a specified virtual access interface. Specifies which virtual template will be used to clone virtual access interfaces.

Cisco IOS Release: Multiple releases (see the Feature Information table)

42

IPsec Virtual Tunnel Interface tunnel mode

tunnel mode
To set the encapsulation mode for the tunnel interface, use the tunnel mode command in interface configuration mode. To restore the default mode, use the no form of this command. tunnel mode {aurp | cayman | dvmrp | eon | gre | gre multipoint | gre ipv6 | ipip [decapsulate-any] | ipsec ipv4 | iptalk | ipv6 | ipsec ipv6 | mpls | nos | rbscp} no tunnel mode

Syntax Description

aurp cayman dvmrp eon gre gre multipoint gre ipv6 ipip decapsulate-any

AppleTalk Update-Based Routing Protocol. Cayman TunnelTalk AppleTalk encapsulation. Distance Vector Multicast Routing Protocol. EON compatible Connectionless Network Protocol (CLNS) tunnel. Generic routing encapsulation (GRE) protocol. This is the default. Multipoint GRE (mGRE). GRE tunneling using IPv6 as the delivery protocol. IP-over-IP encapsulation. (Optional) Terminates any number of IP-in-IP tunnels at one tunnel interface. This tunnel will not carry any outbound traffic; however, any number of remote tunnel endpoints can use a tunnel configured this way as their destination.

ipsec ipv4 iptalk ipv6 ipsec ipv6 mpls nos rbscp

Tunnel mode is IPSec, and the transport is IPv4. Apple IPTalk encapsulation. Static tunnel interface configured to encapsulate IPv6 or IPv4 packets in IPv6. Tunnel mode is IPSec, and the transport is IPv6. Multiprotocol Label Switching (MPLS) encapsulation. KA9Q/NOS compatible IP over IP. Rate Based Satellite Control Protocol (RBSCP).

Command Defaults

GRE tunneling

Command Modes

Interface configuration

Command History

Release 10.0 10.3 11.2 12.2(13)T

Modification This command was introduced. The aurp, dvmrp, and ipip keywords were added. The optional decapsulate-any keyword was added. The gre multipoint keyword was added.

Cisco IOS Release: Multiple releases (see the Feature Information table)

43

IPsec Virtual Tunnel Interface tunnel mode

Release 12.3(7)T

Modification The following keywords were added:


gre ipv6 to support GRE tunneling using IPv6 as the delivery protocol. ipv6 to allow a static tunnel interface to be configured to encapsulate IPv6 or IPv4 packets in IPv6. rbscp to support RBSCP.

12.3(14)T 12.2(18)SXE 12.2(30)S 12.4(4)T 12.2(33)SRA

The ipsec ipv4 keyword was added. The gre multipoint keyword added. This command was integrated into Cisco IOS Release 12.2(30)S. The ipsec ipv6 keyword was added. This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

Source and Destination Address

You cannot have two tunnels that use the same encapsulation mode with exactly the same source and destination address. The workaround is to create a loopback interface and source packets off of the loopback interface.
Cayman Tunneling

Designed by Cayman Systems, Cayman tunneling implements tunneling to enable Cisco routers to interoperate with Cayman GatorBoxes. With Cayman tunneling, you can establish tunnels between two routers or between a Cisco router and a GatorBox. When using Cayman tunneling, you must not configure the tunnel with an AppleTalk network address.
DVMRP

Use DVMRP when a router connects to an mrouted (multicast) router to run DVMRP over a tunnel. You must configure Protocol Independent Multicast (PIM) and an IP address on a DVMRP tunnel.
GRE with AppleTalk

GRE tunneling can be done between Cisco routers only. When using GRE tunneling for AppleTalk, you configure the tunnel with an AppleTalk network address. Using the AppleTalk network address, you can ping the other end of the tunnel to check the connection.
Multipoint GRE

After enabling mGRE tunneling, you can enable the tunnel protection command, which allows you to associate the mGRE tunnel with an IPSec profile. Combining mGRE tunnels and IPSec encryption allows a single mGRE interface to support multiple IPSec tunnels, thereby simplifying the size and complexity of the configuration.

Note

GRE tunnel keepalives configured using the keepalive command under a GRE interface are supported only on point-to-point GRE tunnels.
RBSCP

RBSCP tunneling is designed for wireless or long-distance delay links with high error rates, such as satellite links. Using tunnels, RBSCP can improve the performance of certain IP protocols, such as TCP and IPSec, over satellite links without breaking the end-to-end model.

Cisco IOS Release: Multiple releases (see the Feature Information table)

44

IPsec Virtual Tunnel Interface tunnel mode

IPSec in IPv6 Transport

IPv6 IPSec encapsulation provides site-to-site IPSec protection of IPv6 unicast and multicast traffic. This feature allows IPv6 routers to work as a security gateway, establishes IPSec tunnels between another security gateway router, and provides crypto IPSec protection for traffic from an internal network when being transmitting across the public IPv6 Internet. IPv6 IPSec is very similar to the security gateway model using IPv4 IPsec protection.

Examples

Cayman Tunneling

The following example shows how to enable Cayman tunneling:


Router(config)# interface Router(config-if)# tunnel Router(config-if)# tunnel Router(config-if)# tunnel tunnel 0 source ethernet 0 destination 10.108.164.19 mode cayman

GRE Tunneling

The following example shows how to enable GRE tunneling:


Router(config)# interface tunnel 0 Router(config-if)# appletalk cable-range 4160-4160 4160.19 Router(config-if)# appletalk zone Engineering Router(config-if)# tunnel source ethernet0 Router(config-if)# tunnel destination 10.108.164.19 Router(config-if)# tunnel mode gre

IPSec in IPv4 Transport

The following example shows how to configure a tunnel using IPSec encapsulation with IPv4 as the transport mechanism:
Router(config)# crypto ipsec profile PROF Router(config)# set transform tset ! Router(config)# interface Tunnel0 Router(config-if)# ip address 10.1.1.1 255.255.255.0 Router(config-if)# tunnel mode ipsec ipv4 Router(config-if)# tunnel source Loopback0 Router(config-if)# tunnel destination 172.16.1.1 Router(config-if)# tunnel protection ipsec profile PROF

IPSec in IPv6 Transport

The following example shows how to configure an IPv6 IPSec tunnel interface:
Router(config)# interface tunnel 0 Router(config-if)# ipv6 address 2001:0DB8:1111:2222::2/64 Router(config-if)# tunnel destination 10.0.0.1 Router(config-if)# tunnel source Ethernet 0/0 Router(config-if)# tunnel mode ipsec ipv6 Router(config-if)# tunnel protection ipsec profile profile1

Cisco IOS Release: Multiple releases (see the Feature Information table)

45

IPsec Virtual Tunnel Interface tunnel mode

Multipoint GRE Tunneling

The following example shows how to enable mGRE tunneling:


interface Tunnel0 bandwidth 1000 ip address 10.0.0.1 255.255.255.0 ! Ensures longer packets are fragmented before they are encrypted; otherwise, the ! receiving router would have to do the reassembly. ip mtu 1416 ! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not ! advertise routes that are learned via the mGRE interface back out that interface. no ip split-horizon eigrp 1 no ip next-hop-self eigrp 1 delay 1000 ! Sets IPSec peer address to Ethernet interfaces public address. tunnel source Ethernet0 tunnel mode gre multipoint ! The following line must match on all nodes that want to use this mGRE tunnel. tunnel key 100000 tunnel protection ipsec profile vpnprof

RBSCP Tunneling

The following example shows how to enable RBSCP tunneling:


Router(config)# interface Router(config-if)# tunnel Router(config-if)# tunnel Router(config-if)# tunnel tunnel 0 source ethernet 0 destination 10.108.164.19 mode rbscp

Related Commands

Command appletalk zone tunnel destination tunnel protection tunnel source

Description Sets the zone name for the connected AppleTalk network. Specifies the destination for a tunnel interface. Associates a tunnel interface with an IPSec profile. Sets the source address of a tunnel interface.

appletalk cable-range Enables an extended AppleTalk network.

Cisco IOS Release: Multiple releases (see the Feature Information table)

46

IPsec Virtual Tunnel Interface virtual-template

virtual-template
To specify which virtual template will be used to clone virtual access interfaces, use the virtual-template command in VPDN group configuration mode. To remove the virtual template from a virtual private dial-up network (VPDN) group, use the no form of this command. virtual-template template-number no virtual-template

Syntax Description

template-number

Number of the virtual template that will be used to clone virtual access interfaces.

Command Defaults

No virtual template is enabled.

Command Modes

VPDN group configuration

Command History

Release 12.0(5)T 12.1(1)T 12.2(15)T

Modification This command was introduced. This command was enhanced to enable PPPoE on ATM to accept dial-in PPP over Ethernet (PPPoE) sessions. This command was enhanced to allow IP per-user attributes to be applied to a Layer 2 Tunneling Protocol (L2TP) dial-out session.

Usage Guidelines

You must first enable a tunneling protocol on the VPDN group using the protocol (VPDN) command before you can enable the virtual-template command. Removing or modifying the protocol command will remove the virtual-template command from the VPDN group. Each VPDN group can clone only virtual access interfaces using one virtual template. If you enter a second virtual-template command on a VPDN group, it will replace the first virtual-template command. Table 1 lists the VPDN group commands under which the virtual-template command can be entered. Entering the VPDN group command starts VPDN group configuration mode. The table includes the command-line prompt for the VPDN group configuration mode and the type of service configured.
Table 2 VPDN Subgroups

VPDN Group Command accept-dialin request-dialout

Command Mode Prompt


router(config-vpdn-acc-in)# router(config-vpdn-req-ou)#

Type of Service Tunnel server L2TP network server (LNS)

Cisco IOS Release: Multiple releases (see the Feature Information table)

47

IPsec Virtual Tunnel Interface virtual-template

When the virtual-template command is entered under a request-dialout VPDN subgroup, IP and other per-user attributes can be applied to an L2TP dial-out session from an LNS. Before this command was enhanced, IP per-user configurations from authentication, authorization, and accounting (AAA) servers were not supported; the IP configuration would come from the dialer interface defined on the router. The enhanced virtual-template command works in a way similar to configuring virtual profiles and L2TP dial-in. The L2TP virtual access interface is first cloned from the virtual template, which means that configurations from the virtual template interface will be applied to the L2TP virtual access interface. After authentication, the AAA per-user configuration is applied to the virtual access interface. Because AAA per-user attributes are applied only after the user has been authenticated, the LNS must be configured to authenticate the dial-out user (configuration authentication is needed for this command). With the enhanced virtual-template command, all software components can now use the configuration present on the virtual access interface rather than what is present on the dialer interface. For example, IP Control Protocol (IPCP) address negotiation uses the local address of the virtual access interface as the router address while negotiating with the peer.

Examples

The following example enables the LNS to accept an L2TP tunnel from an L2TP access concentrator (LAC) named LAC2. A virtual access interface will be cloned from virtual template 1.
vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname LAC2

The following example enables PPPoE on ATM to accept dial-in PPPoE sessions. A virtual access interface for the PPP session is cloned from virtual template 1.
vpdn-group 1 accept-dialin protocol pppoe virtual-template 1

The following partial example shows how to configure an LNS to support IP per-user configurations from a AAA server:
! vpdn enable vpdn search-order domain ! vpdn-group 1
. . .

request-dialout protocol l2tp rotary-group 1 virtual-template 1 initiate-to ip 10.0.1.194.2 local name lns l2tp tunnel password 7094F3$!5^3 source-ip 10.0.194.53 !

Cisco IOS Release: Multiple releases (see the Feature Information table)

48

IPsec Virtual Tunnel Interface Feature Information for IPsec Virtual Tunnel Interfaces

The previous configuration requires a AAA profile such as the following example to specify the per-user attributes:
5300-Router1-out Password = "cisco" Service-Type = Outbound cisco-avpair = "outbound:dial-number=5550121" 7200-Router1-1 Password = "cisco" Service-Type = Outbound cisco-avpair = "ip:route=10.17.17.1 255.255.255.255 Dialer1 100 name 5300-Router1" 5300-Router1 Password = "cisco" Service-Type = Framed Framed-Protocol = PPP cisco-avpair = "lcp:interface-config=ip unnumbered loopback 0" cisco-avpair = "ip:outacl#1=deny ip host 10.5.5.5 any log" cisco-avpair = "ip:outacl#2=permit ip any any" cisco-avpair = "ip:inacl#1=deny ip host 10.5.5.5 any log" cisco-avpair = "ip:inacl#2=permit ip any any" cisco-avpair = "multilink:min-links=2" Framed-Route = "10.5.5.6/32 Ethernet4/0" Framed-Route = "10.5.5.5/32 Ethernet4/0" Idle-Timeout = 100

Related Commands

Command accept-dialin protocol (VPDN) request-dialout vpdn-group

Description Configures an LNS to accept tunneled PPP connections from a LAC and to create an accept-dialin VPDN subgroup. Specifies the Layer 2 Tunneling Protocol that the VPDN subgroup will use. Enables an LNS to request VPDN dial-out calls by using L2TP and to create a request-dialout VPDN subgroup. Defines a local, unique group number identifier.

Feature Information for IPsec Virtual Tunnel Interfaces


Table 3 lists the release history for this feature. Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation. Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Note

Table 3 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Cisco IOS Release: Multiple releases (see the Feature Information table)

49

IPsec Virtual Tunnel Interface Feature Information for IPsec Virtual Tunnel Interfaces

Table 3

Feature Information for IPsec Virtual Tunnel InterfaceI

Feature Name Static IPsec VTIs

Releases

Feature Configuration Information

12.3(7)T IPsec VTIs (VTIs) provide a routable interface type for 12.3(14)T terminating IPsec tunnels and an easy way to define 12.2(33)SRA protection between sites to form an overlay network. IPsec VTIs simplify configuration of IPsec for protection of remote links, support multicast, and simplify network management and load balancing. Static tunnel interfaces can be configured to encapsulate IPv6 or IPv4 packets in IPv6.

Dynamic IPsec VTIs

12.3(7)T 12.3(14)T

Dynamic VTIs provide efficiency in the use of IP addresses and provide secure connectivity. Dynamic VTIs allow dynamically downloadable per-group and per-user policies to be configured on a RADIUS server. The per-group or per-user definition can be created using Xauth User or Unity group, or it can be derived from a certificate. Dynamic VTIs are standards based, so interoperability in a multiple-vendor environment is supported. IPsec dynamic VTIs allow you to create highly secure connectivity for remote access VPNs and can be combined with Cisco Architecture for Voice, Video, and Integrated Data (AVVID) to deliver converged voice, video, and data over IP networks. The dynamic VTI simplifies VRF-aware IPsec deployment. The VRF is configured on the interface. This feature provides per-user attribute support on an Easy VPN server. The following sections provide information about this feature: Per-User Attribute Support for Easy VPN Servers section on page 7 The following commands were added or modified by this feature: crypto aaa attribute list and crypto isakmp client configuration group.

Per-User Attribute Support for Easy VPN Servers

12.4(9)T

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)

Cisco IOS Release: Multiple releases (see the Feature Information table)

50

IPsec Virtual Tunnel Interface Feature Information for IPsec Virtual Tunnel Interfaces

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. 2005, 2006 Cisco Systems, Inc. All rights reserved.

Cisco IOS Release: Multiple releases (see the Feature Information table)

51

IPsec Virtual Tunnel Interface Feature Information for IPsec Virtual Tunnel Interfaces

Cisco IOS Release: Multiple releases (see the Feature Information table)

52

Anda mungkin juga menyukai