IP security (IPsec) virtual tunnel interfaces (VTIs) provide a routable interface type for terminating IPsec tunnels and an easy way to define protection between sites to form an overlay network. IPsec VTIs simplify configuration of IPsec for protection of remote links, support multicast, and simplify network management and load balancing.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the Feature Information for IPsec Virtual Tunnel Interfaces section on page 49.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
Restrictions for IPsec Virtual Tunnel Interface, page 2 Information About IPsec Virtual Tunnel Interfaces, page 2 How to Configure IPsec Virtual Tunnel Interfaces, page 8 Configuration Examples for IPsec Virtual Tunnel Interfaces, page 13 Additional References, page 26 Command Reference, page 27 Feature Information for IPsec Virtual Tunnel Interfaces, page 49
Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
IPsec Virtual Tunnel Interface Restrictions for IPsec Virtual Tunnel Interface
The Internet Key Exchange (IKE) security association (SA) is bound to the VTI. Because IKE SA is bound to the VTI, the same IKE SA cannot be used for a crypto map.
Proxy
Static VTIs support only IP ANY ANY proxies. Only one proxy is supported with VTI. Dynamic VTIs, on the other hand, support more than one proxy.
QoS Traffic Shaping
The shared keyword is not required and must not be configured when using the tunnel mode ipsec ipv4 command for IPsec IPv4 mode.
Static VTIs Versus GRE Tunnels
The IPsec VTI is limited to IP unicast and multicast traffic only, as opposed to GRE tunnels, which have a wider application for IPsec implementation.
VRF-Aware IPsec Configuration
In VRF-aware IPsec configurations with either static or dynamic VTIs (DVTIs), the VRF must not be configured in the Internet Security Association and Key Management Protocol (ISAKMP) profile. Instead, the VRF must be configured on the tunnel interface for static VTIs. For DVTIs, you must apply VRF to the vtemplate using the ip vrf forwarding command.
Cisco IOS Release: Multiple releases (see the Feature Information table)
IPsec Virtual Tunnel Interface Information About IPsec Virtual Tunnel Interfaces
traffic to the tunnel interface simplifies the IPsec VPN configuration compared to the more complex process of using access control lists (ACLs) with the crypto map in native IPsec configurations. DVTIs function like any other real interface so that you can apply quality of service (QoS), firewall, and other security services as soon as the tunnel is active. Without Virtual Private Network (VPN) Acceleration Module2+ (VAM2+) accelerating virtual interfaces, the packet traversing an IPsec virtual interface is directed to the router processor (RP) for encapsulation. This method tends to be slow and has limited scalability. In hardware crypto mode, all the IPsec VTIs are accelerated by the VAM2+ crypto engine, and all traffic going through the tunnel is encrypted and decrypted by the VAM2+. The following sections provide details about the IPsec VTI:
Benefits of Using IPsec Virtual Tunnel Interfaces, page 3 Routing with IPsec Virtual Tunnel Interfaces, page 3 Static Virtual Tunnel Interfaces, page 4 Dynamic Virtual Tunnel Interfaces, page 4 Dynamic Virtual Tunnel Interface Life Cycle, page 5 Traffic Encryption with the IPsec Virtual Tunnel Interface, page 5 Per-User Attribute Support for Easy VPN Servers, page 7
Cisco IOS Release: Multiple releases (see the Feature Information table)
IPsec Virtual Tunnel Interface Information About IPsec Virtual Tunnel Interfaces
The IPsec VTI supports native IPsec tunneling and exhibits most of the properties of a physical interface.
Cisco IOS Release: Multiple releases (see the Feature Information table)
127961
IPsec Virtual Tunnel Interface Information About IPsec Virtual Tunnel Interfaces
highly secure connectivity for remote access VPNs and can be combined with Cisco Architecture for Voice, Video, and Integrated Data (AVVID) to deliver converged voice, video, and data over IP networks. The dynamic VTI simplifies Virtual Private Network (VRF) routing and forwarding- (VRF-) aware IPsec deployment. The VRF is configured on the interface. A dynamic VTI requires minimal configuration on the router. A single virtual template can be configured and cloned. The dynamic VTI creates an interface for IPsec sessions and uses the virtual template infrastructure for dynamic instantiation and management of dynamic IPsec VTIs. The virtual template infrastructure is extended to create dynamic virtual-access tunnel interfaces. Dynamic VTIs are used in hub-and-spoke configurations. A single dynamic VTI can support several static VTIs. Decisions are made through routing updates. Figure 2 illustrates the dynamic VTI authentication path.
Figure 2 Dynamic IPsec VTI
Local authorization
auth Single User Client with ISDN Card ISDN Physical interface DSL 3 2
Router
User 1 calls the router. Router 1 authenticates User 1. IPsec clones virtual access interface from virtual template interface.
Cisco IOS Release: Multiple releases (see the Feature Information table)
IPsec Virtual Tunnel Interface Information About IPsec Virtual Tunnel Interfaces
encryption simplifies the IPsec VPN configuration because the use of ACLs with a crypto map in native IPsec configurations is not required. The IPsec virtual tunnel also allows you to encrypt multicast traffic with IPsec. IPsec packet flow into the IPsec tunnel is illustrated in Figure 3.
Figure 3 Packet Flow into the IPsec Tunnel
4. Encrypted packets are passed out of the physical outside interface.
IP
Inside interface
Forwarding engine
Outside interface
Inside interface
Outside interface
After packets arrive on the inside interface, the forwarding engine switches the packets to the VTI, where they are encrypted. The encrypted packets are handed back to the forwarding engine, where they are switched through the outside interface. Figure 4 shows the packet flow out of the IPsec tunnel.
Cisco IOS Release: Multiple releases (see the Feature Information table)
IPsec Virtual Tunnel Interface Information About IPsec Virtual Tunnel Interfaces
Figure 4
IP
Inside interface
Outside interface
127960
VTI 2. Forwarding engine determines it is a packet for us and sends it to IPsec for decryption.
Inside interface
Outside interface
3. IPsec decrypts the packets and associates to the VTI based on the SA information.
Per-User Attributes
The following per-user attributes are currently defined in the AAA server and are applicable to IPsec:
Cisco IOS Release: Multiple releases (see the Feature Information table)
IPsec Virtual Tunnel Interface How to Configure IPsec Virtual Tunnel Interfaces
Configuring Static IPsec Virtual Tunnel Interfaces, page 8 Configuring Dynamic IPsec Virtual Tunnel Interfaces, page 10 Configuring Per-User Attributes on a Local Easy VPN AAA Server, page 12
SUMMARY STEPS
1. 2. 3. 4. 5. 6. 7. 8. 9.
enable configure terminal crypto IPsec profile profile-name set transform-set transform-set-name interface type number ip address address mask tunnel mode ipsec ipv4 tunnel source interface tunnel destination ip-address
Cisco IOS Release: Multiple releases (see the Feature Information table)
IPsec Virtual Tunnel Interface How to Configure IPsec Virtual Tunnel Interfaces
DETAILED STEPS
Command or Action
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
Defines the IPsec parameters that are to be used for IPsec encryption between two IPsec routers.
Example:
Router(config)# crypto IPsec profile PROF
Step 4
Specifies which transform sets can be used with the crypto map entry.
Example:
Router(config)# set transform-set tset
Step 5
Specifies the interface on which the tunnel will be configured and enters interface configuration mode.
Example:
Router(config)# interface tunnel0
Step 6
Example:
Router(config-if)# ip address 10.1.1.1 255.255.255.0
Step 7
Example:
Router(config-if)# tunnel mode ipsec ipv4
Step 8
Example:
Router(config-if)# tunnel source loopback0
Cisco IOS Release: Multiple releases (see the Feature Information table)
IPsec Virtual Tunnel Interface How to Configure IPsec Virtual Tunnel Interfaces
Command or Action
Step 9
tunnel destination ip-address
Example:
Router(config-if)# tunnel destination 172.16.1.1
Step 10
Example:
Router(config-if)# tunnel protection IPsec profile PROF
SUMMARY STEPS
1. 2. 3. 4. 5. 6. 7. 8. 9.
enable configure terminal crypto IPsec profile profile-name set transform-set transform-set-name interface virtual-template number tunnel mode mode tunnel protection IPsec profile profile-name [shared] exit crypto isakamp profile profile-name
DETAILED STEPS
Command or Action
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Cisco IOS Release: Multiple releases (see the Feature Information table)
10
IPsec Virtual Tunnel Interface How to Configure IPsec Virtual Tunnel Interfaces
Command or Action
Step 3
crypto IPsec profile profile-name
Purpose Defines the IPsec parameters that are to be used for IPsec encryption between two IPsec routers.
Example:
Router(config)# crypto IPsec profile PROF
Step 4
Specifies which transform sets can be used with the crypto map entry.
Example:
Router(config)# set transform-set tset
Step 5
Example:
Router(config)# interface virtual-template 2
Step 6
Example:
Router(config-if)# tunnel mode ipsec ipv4
Step 7
Example:
Router(config-if)# tunnel protection IPsec profile PROF
Step 8
exit
Example:
Router(config-if)# exit
Step 9
Example:
Router(config)# crypto isakamp profile red
Step 10
virtual-template template-number
Example:
Router(config)# virtual-template 1
Cisco IOS Release: Multiple releases (see the Feature Information table)
11
IPsec Virtual Tunnel Interface How to Configure IPsec Virtual Tunnel Interfaces
SUMMARY STEPS
1. 2. 3. 4. 5. 6. 7.
enable configure terminal aaa attribute list list-name attribute type name value [service service] [protocol protocol] exit crypto isakmp client configuration group group-name crypto aaa attribute list list-name
DETAILED STEPS
Command or Action
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
Defines a AAA attribute list locally on a router and enters attribute list configuration mode.
Example:
Router(config)# aaa attribute list list1
Step 4
Example:
Router(config-attr-list)# attribute type attribute xxxx service ike protocol ip
Step 5
exit
Example:
Router(config-attr-list)# exit
Cisco IOS Release: Multiple releases (see the Feature Information table)
12
IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces
Command or Action
Step 6
crypto isakmp client configuration group group-name
Purpose Specifies to which group a policy profile will be defined and enters ISAKMP group configuration mode.
Example:
Router (config)# crypto isakmp client configuration group group1
Step 7
Example:
Router (config-isakmp-group)# crypto aaa attribute list listname1
Static Virtual Tunnel Interface with IPsec: Example, page 13 VRF-Aware Static Virtual Tunnel Interface: Example, page 16 Static Virtual Tunnel Interface with QoS: Example, page 17 Static Virtual Tunnel Interface with Virtual Firewall: Example, page 17 Dynamic Virtual Tunnel Interface Easy VPN Server: Example, page 19 Dynamic Virtual Tunnel Interface Easy VPN Client: Example, page 20 VRF-Aware IPsec with Dynamic VTI: Example, page 22 Dynamic Virtual Tunnel Interface with Virtual Firewall: Example, page 23 Dynamic Virtual Tunnel Interface with QoS: Example, page 24 Per-User Attributes on an Easy VPN Server: Example, page 24
10.0.35.21
10.0.149.217
10.0.36.21
Server 1
C1750-17
Server 2
127943
Cisco IOS Release: Multiple releases (see the Feature Information table)
13
IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces
interface Tunnel0 ip address 10.0.51.203 255.255.255.0 ip ospf mtu-ignore load-interval 30 tunnel source 10.0.149.203 tunnel destination 10.0.149.217 tunnel mode IPsec ipv4 tunnel protection IPsec profile P1 ! interface Ethernet3/0 ip address 10.0.149.203 255.255.255.0 duplex full ! interface Ethernet3/3 ip address 10.0.35.203 255.255.255.0 duplex full ! ip classless ip route 10.0.36.0 255.255.255.0 Tunnel0 line con 0 line aux 0 line vty 0 4 end
Cisco IOS Release: Multiple releases (see the Feature Information table)
14
IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces
! interface Tunnel0 ip address 10.0.51.217 255.255.255.0 ip ospf mtu-ignore tunnel source 10.0.149.217 tunnel destination 10.0.149.203 tunnel mode ipsec ipv4 tunnel protection ipsec profile P1 ! interface FastEthernet0/0 ip address 10.0.149.217 255.255.255.0 speed 100 full-duplex ! interface Ethernet1/0 ip address 10.0.36.217 255.255.255.0 load-interval 30 full-duplex !
ip classless ip route 10.0.35.0 255.255.255.0 Tunnel0 line con 0 line aux 0 line vty 0 4 end
Verifying the Results for the IPsec Static Virtual Tunnel Interface: Example
This section provides information that you can use to confirm that your configuration is working properly. In this display, Tunnel 0 is up, and the line protocol is up. If the line protocol is down, the session is not active.
Verifying the C7206 Status
Router# show interface tunnel 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 10.0.51.203/24 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 103/255, rxload 110/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 10.0.149.203, destination 10.0.149.217 Tunnel protocol/transport IPsec/IP, key disabled, sequencing disabled Tunnel TTL 255 Checksumming of packets disabled, fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPsec (profile "P1") Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 30 second input rate 13000 bits/sec, 34 packets/sec 30 second output rate 36000 bits/sec, 34 packets/sec 191320 packets input, 30129126 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
Cisco IOS Release: Multiple releases (see the Feature Information table)
15
IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 59968 packets output, 15369696 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out Router# show crypto session Crypto session current status Interface: Tunnel0 Session status: UP-ACTIVE Peer: 10.0.149.217 port 500 IKE SA: local 10.0.149.203/500 remote 10.0.149.217/500 Active IPsec FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 4, origin: crypto map Router# show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.0.35.0/24 is directly connected, Ethernet3/3 S 10.0.36.0/24 is directly connected, Tunnel0 C 10.0.51.0/24 is directly connected, Tunnel0 C 10.0.149.0/24 is directly connected, Ethernet3/0
Cisco IOS Release: Multiple releases (see the Feature Information table)
16
IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces
Cisco IOS Release: Multiple releases (see the Feature Information table)
17
IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces
Figure 6
10.0.51.217
The basic static VTI configuration has been modified to include the virtual firewall definition.
C7206 Router Configuration
hostname c7206 . . ip inspect max-incomplete high 1000000 ip inspect max-incomplete low 800000 ip inspect one-minute high 1000000 ip inspect one-minute low 800000 ip inspect tcp synwait-time 60 ip inspect tcp max-incomplete host 100000 block-time 2 ip inspect name IOSFW1 tcp timeout 300 ip inspect name IOSFW1 udp ! . . interface GigabitEthernet0/1 description Internet Connection ip address 172.18.143.246 255.255.255.0 ip access-group 100 in ip nat outside ! interface Tunnel0 ip address 10.0.51.217 255.255.255.0 ip nat inside ip inspect IOSFW1 in tunnel source 10.0.149.217 tunnel destination 10.0.149.203 tunnel mode ipsec ipv4 tunnel protection ipsec profile P1 ! ip classless ip route 0.0.0.0 0.0.0.0 172.18.143.1 ! ip nat translation timeout 120 ip nat translation finrst-timeout 2 ip nat translation max-entries 300000 ip nat pool test1 10.2.100.1 10.2.100.50 netmask 255.255.255.0 ip nat inside source list 110 pool test1 vrf test-vti1 overload ! access-list 100 permit esp any any access-list 100 permit udp any eq isakmp any
Cisco IOS Release: Multiple releases (see the Feature Information table)
18
170138
10.0.51.203
c1750
IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces
udp any eq non500-isakmp any icmp any any esp any any udp any eq isakmp any ip any any udp any eq non500-isakmp any
Cisco IOS Release: Multiple releases (see the Feature Information table)
19
IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces
interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1 ! ip local pool group1pool 192.168.1.1 192.168.1.4 ip classless ip route 0.0.0.0 0.0.0.0 172.18.143.1 ! end
Verifying the Results for the Dynamic Virtual Tunnel Interface Easy VPN Server: Example
The following examples show that a dynamic VTI has been configured for an Easy VPN server.
Router# show running-config interface Virtual-Access2 Building configuration... Current configuration : 250 bytes ! interface Virtual-Access2 ip unnumbered Loopback0 ip virtual-reassembly tunnel source 172.18.143.246 tunnel destination 172.18.143.208 tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1 no tunnel protection ipsec initiate end Router# show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.2.1.10 to network 0.0.0.0 172.18.0.0/24 is subnetted, 1 subnets 172.18.143.0 is directly connected, GigabitEthernet0/1 192.168.1.0/32 is subnetted, 1 subnets 192.168.1.1 [1/0] via 0.0.0.0, Virtual-Access2 10.0.0.0/24 is subnetted, 1 subnets 10.2.1.0 is directly connected, GigabitEthernet0/2 0.0.0.0/0 [1/0] via 172.18.143.1
C S C S*
Cisco IOS Release: Multiple releases (see the Feature Information table)
20
IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces
no aaa new-model ! ip cef ! username cisco password 0 cisco123 ! crypto ipsec client ezvpn CLIENT connect manual group group1 key cisco123 mode client peer 172.18.143.246 virtual-interface 1 username cisco password cisco123 xauth userid mode local ! interface Loopback0 ip address 10.1.1.1 255.255.255.255 ! interface FastEthernet0/0 description Internet Connection ip address 172.18.143.208 255.255.255.0 crypto ipsec client ezvpn CLIENT ! interface FastEthernet0/1 ip address 10.1.1.252 255.255.255.0 crypto ipsec client ezvpn CLIENT inside ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ! ip route 0.0.0.0 0.0.0.0 172.18.143.1 ! end
The client definition can be set up in many different ways. The mode specified with the connect command can be automatic or manual. If the connect mode is set to manual, the IPsec tunnel has to be initiated manually by a user. Also note use of the mode command. The mode can be client, network-extension, or network-extension-plus. This example indicates client mode, which means that the client is given a private address from the server. Network-extension mode is different from client mode in that the client specifies for the server its attached private subnet. Depending on the mode, the routing table on either end will be slightly different. The basic operation of the IPSec tunnel remains the same, regardless of the specified mode.
Verifying the Results for the Dynamic Virtual Tunnel Interface Easy VPN Client: Example
The following examples illustrate different ways to display the status of the DVTI.
Router# show running-config interface Virtual-Access2 Building configuration... Current configuration : 148 bytes ! interface Virtual-Access2 ip unnumbered Loopback1 tunnel source FastEthernet0/0 tunnel destination 172.18.143.246 tunnel mode ipsec ipv4 end
Cisco IOS Release: Multiple releases (see the Feature Information table)
21
IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces
Router# show running-config interface Loopback1 Building configuration... Current configuration : 65 bytes ! interface Loopback1 ip address 192.168.1.1 255.255.255.255 end Router# show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 172.18.143.1 to network 0.0.0.0 10.0.0.0/32 is subnetted, 1 subnets 10.1.1.1 is directly connected, Loopback0 172.18.0.0/24 is subnetted, 1 subnets 172.18.143.0 is directly connected, FastEthernet0/0 192.168.1.0/32 is subnetted, 1 subnets 192.168.1.1 is directly connected, Loopback1 0.0.0.0/0 [1/0] via 172.18.143.1 [1/0] via 0.0.0.0, Virtual-Access2
C C C S*
Router# show crypto ipsec client ezvpn Easy VPN Remote Phase: 6 Tunnel name : CLIENT Inside interface list: FastEthernet0/1 Outside interface: Virtual-Access2 (bound to FastEthernet0/0) Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Address: 192.168.1.1 Mask: 255.255.255.255 Save Password: Allowed Current EzVPN Peer: 172.18.143.246
Cisco IOS Release: Multiple releases (see the Feature Information table)
22
IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces
ip unnumbered Loopback0 ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1 ! . . end
Cisco IOS Release: Multiple releases (see the Feature Information table)
23
IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces
esp any any udp any eq isakmp any ip any any udp any eq non500-isakmp any
Cisco IOS Release: Multiple releases (see the Feature Information table)
24
IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces
! ip subnet-zero ! ! ip cef ! ! username example password 0 example ! ! crypto isakmp policy 3 authentication pre-share group 2 crypto isakmp xauth timeout 90 ! crypto isakmp client configuration group PerUserAAA key cisco pool dpool crypto aaa attribute list per-group ! crypto isakmp profile vi match identity group PerUserAAA isakmp authorization list default client configuration address respond client configuration group PerUserAAA virtual-template 1 ! ! crypto ipsec transform-set set esp-3des esp-sha-hmac ! crypto ipsec profile vi set transform-set set set isakmp-profile vi ! ! interface GigabitEthernet0/0 description 'EzVPN Peer' ip address 192.168.1.1 255.255.255.128 duplex full speed 100 media-type rj45 no negotiation auto ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto media-type rj45 no negotiation auto interface Virtual-Template1 type tunnel ip unnumbered GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile vi ! ip local pool dpool 10.5.0.1 10.5.0.10 ip classless ! no ip http server no ip http secure-server ! ! ip access-list extended per-group-acl
Cisco IOS Release: Multiple releases (see the Feature Information table)
25
permit tcp any any deny icmp any any logging alarm informational logging trap debugging ! control-plane ! gatekeeper shutdown ! line con 0 line aux 0 stopbits 1 line vty 0 4 ! ! end
Additional References
The following sections provide references related to IPsec virtual tunnel interface.
Related Documents
Related Topic IPsec, security issues Security commands VPN configuration Document Title Cisco IOS Security Configuration Guide Cisco IOS Security Command Reference Cisco IOS Easy VPN Server Cisco IOS Easy VPN Remote
Standards
Standard No new or modied standards are supported by this feature, and support for existing standards has not been modied by this feature. Title
MIBs
MIB No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. MIBs Link To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs
Cisco IOS Release: Multiple releases (see the Feature Information table)
26
RFCs
RFC RFC 2401 RFC 2408 RFC 2409 Title Security Architecture for the Internet Protocol Internet Security Association and Key Management Protocol The Internet Key Exchange (IKE)
Technical Assistance
Description Link The Cisco Technical Support & Documentation http://www.cisco.com/techsupport website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, tools, and technical documentation. Registered Cisco.com users can log in from this page to access even more content.
Command Reference
This section documents the following new and modified commands only.
crypto aaa attribute list crypto isakmp client configuration group show vtemplate interface virtual-template tunnel mode tunnel mode virtual-template
Cisco IOS Release: Multiple releases (see the Feature Information table)
27
Syntax Description
list-name
Command Default
Command Modes
Command History
Release 12.4(9)T
Usage Guidelines
There is no limit to the number of lists that can be defined (except for NVRAM storage limits).
Examples
The following example shows that per-user attributes have been defined on a local Easy VPN AAA server:
! aaa new-model ! ! aaa authentication login default local aaa authentication login noAAA none aaa authorization network default local ! aaa attribute list per-group attribute type inacl "per-group-acl" service ike protocol ip mandatory ! aaa session-id common ! resource policy ! ip subnet-zero ! ! ip cef ! ! username example password 0 example !
Cisco IOS Release: Multiple releases (see the Feature Information table)
28
! crypto isakmp policy 3 authentication pre-share group 2 crypto isakmp xauth timeout 90 ! crypto isakmp client configuration group PerUserAAA key cisco pool dpool crypto aaa attribute list per-group ! crypto isakmp profile vi match identity group PerUserAAA isakmp authorization list default client configuration address respond client configuration group PerUserAAA virtual-template 1 ! ! crypto ipsec transform-set set esp-3des esp-sha-hmac ! crypto ipsec profile vi set transform-set set set isakmp-profile vi ! ! interface GigabitEthernet0/0 description 'EzVPN Peer' ip address 192.168.1.1 255.255.255.128 duplex full speed 100 media-type rj45 no negotiation auto ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto media-type rj45 no negotiation auto interface Virtual-Template1 type tunnel ip unnumbered GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile vi ! ip local pool dpool 10.5.0.1 10.5.0.10 ip classless ! no ip http server no ip http secure-server ! ! ip access-list extended per-group-acl permit tcp any any deny icmp any any logging alarm informational logging trap debugging ! control-plane ! gatekeeper shutdown
Cisco IOS Release: Multiple releases (see the Feature Information table)
29
Related Commands
Cisco IOS Release: Multiple releases (see the Feature Information table)
30
Syntax Description
group-name default
Group definition that identifies which policy is enforced for users. Policy that is enforced for all users who do not offer a group name that matches a group-name argument. The default keyword can only be configured locally.
Command Defaults
Command Modes
Global configuration
Command History
Modification This command was introduced. The access-restrict, firewall are-u-there, group-lock, include-local-lan, and save-password commands were added. These commands are added during Mode Configuration. In addition, this command was modified so that output for this command will show that the preshared key is either encrypted or unencrypted. The backup-gateway, max-logins, max-users, and pfs commands were added. This command was integrated into Cisco IOS Release 12.2(18)SXD. The browser-proxy command was added. The firewall policy command was added. This command was integrated into Cisco IOS Release 12.2(33)SRA. The crypto aaa attribute list, dhcp-server and dhcp-timeout commands were added.
Usage Guidelines
Use the crypto isakmp client configuration group command to specify group policy information that needs to be defined or changed. You may wish to change the group policy on your router if you decide to connect to the client using a group ID that does not match the group-name argument.
Cisco IOS Release: Multiple releases (see the Feature Information table)
31
After enabling this command, which puts you in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode, you can specify characteristics for the group policy using the following commands:
access-restrictTies a particular Virtual Private Network (VPN) group to a specific interface for access to the Cisco IOS gateway and the services it protects. aclConfigures split tunneling. auto-update-clientConfigures auto upgrade. backup-gatewayConfigures a server to push down a list of backup gateways to the client. These gateways are tried in order in the case of a failure of the previous gateway. The gateways may be specified using IP addresses or host names. bannerSpecifies a mode configuration banner. browser-proxyApplies a browser-proxy map to a group. configuration urlSpecifies on a server the URL an Easy VPN remote device must use to get a configuration in a Mode Configuration Exchange. configuration versionSpecifies on a server the version a Cisco Easy VPN remote device must use to get a particular configuration in a Mode Configuration Exchange. crypto aaa attribute listDefines a AAA attribute list of per-user attributes on a local Easy VPN server. dhcp serverConfigures multiple DHCP server entries. dhcp timeoutControls the wait time before the next DHCP server on the list is tried. dnsSpecifies the primary and secondary Domain Name Service (DNS) servers for the group. domainSpecifies group domain membership. firewall are-u-thereAdds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls. firewall policySpecifies the CPP firewall policy push name for the crypto ISAKMP client configuration group on a local AAA server. group-lockUse if preshared key authentication is used with Internet Key Exchange (IKE). Allows you to enter your extended authentication (Xauth) username. The group delimiter is compared against the group identifier sent during IKE aggressive mode. include-local-lanConfigures the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client. keySpecifies the IKE preshared key when defining group policy information for Mode Configuration push. max-loginsLimits the number of simultaneous logins for users in a specific user group. max-usersLimits the number of connections to a specific server group. netmaskSubnet mask to be used by the client for local connectivity. pfsConfigures a server to notify the client of the central-site policy regarding whether PFS is required for any IPsec SA. Because the client device does not have a user interface option to enable or disable PFS negotiation, the server will notify the client device of the central site policy via this parameter. The Diffie-Hellman (D-H) group that is proposed for PFS will be the same that was negotiated in Phase 1 of the IKE negotiation. poolRefers to the IP local pool address used to allocate internal IP addresses to clients. save-passwordSaves your Xauth password locally on your PC.
Cisco IOS Release: Multiple releases (see the Feature Information table)
32
split-dnsSpecifies a list of domain names that must be tunneled or resolved to the private network. winsSpecifies the primary and secondary Windows Internet Naming Service (WINS) servers for the group.
Output for the crypto isakmp client configuration group command (using the key subcommand) will show that the preshared key is either encrypted or unencrypted. An output example for an unencrypted preshared key would be as follows:
crypto isakmp client configuration group key test
It is possible to mimic the functionality provided by some RADIUS servers for limiting the number of connections to a specific server group and also for limiting the number of simultaneous logins for users in that group. To limit the number of connections to a specific server group, use the max-users subcommand. To limit the number of simultaneous logins for users in the server group, use the max-logins subcommand. The following example shows the RADIUS attribute-value (AV) pairs for the maximum users and maximum logins parameters:
ipsec:max-users=1000 ipsec:max-logins=1
The max-users and max-logins commands can be enabled together or individually to control the usage of resources by any groups or individuals. If you use a RADIUS server, such as a CiscoSecure access control server (ACS), it is recommended that you enable this session control on the RADIUS server if the functionality is provided. In this way, usage can be controlled across a number of servers by one central repository. When enabling this feature on the router itself, only connections to groups on that specific device are monitored, and load-sharing scenarios are not accurately accounted for.
Examples
The following example shows how to define group policy information for Mode Configuration push. In this example, the first group name is cisco and the second group name is default. Thus, the default policy will be enforced for all users who do not offer a group name that matches cisco.
crypto isakmp client configuration group cisco key cisco dns 10.2.2.2 10.2.2.3 wins 10.6.6.6 domain cisco.com pool fred acl 199 ! crypto isakmp client configuration group default key cisco dns 10.2.2.2 10.3.2.3 pool fred acl 199
Related Commands
Cisco IOS Release: Multiple releases (see the Feature Information table)
33
Command access-restrict acl backup-gateway browser-proxy crypto isakmp keepalive dns firewall are-u-there firewall policy group-lock include-local-lan key (isakmp-group) max-logins max-users pool (isakmp-group) save-password set aggressive-mode client-endpoint
Description Ties a particular VPN group to a specific interface for access to the Cisco IOS gateway and the services it protects. Configures split tunneling. Configures a server to push down a list of backup gateways to the client. Applies browser-proxy parameter settings to a group. Adds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls. Specifies the primary and secondary DNS servers. Adds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls. Specifies the CPP firewall policy push name for the crypto ISAKMP client configuration group on a local AAA server. Allows you to enter your Xauth username, including the group name, when preshared key authentication is used with IKE. Configures the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client. Specifies the IKE preshared key for Group-Policy attribute definition. Limits the number of simultaneous logins for users in a specific server group. Limits the number of connections to a specific server group. Defines a local pool address. Saves your Xauth password locally on your PC. Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration.
Cisco IOS Release: Multiple releases (see the Feature Information table)
34
Syntax Description
Name of the user profile. To associate a user profile with the RADIUS server, the user profile name must be identified. (Optional) Name of a client accounting list.
Command Defaults
Command Modes
Global configuration
Command History
Modification This command was introduced. This command was integrated into Cisco IOS Release 12.2(18)SXD. Support for dynamic virtual tunnel interfaces was added. Support for IPv6 was added. This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
An ISAKMP profile can be viewed as a repository of Phase 1 and Phase 1.5 commands for a set of peers. The Phase 1 configuration includes commands to configure such things as keepalive, identity matching, and the authorization list. The Phase 1.5 configuration includes commands to configure such things as extended authentication (Xauth) and mode configuration. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. Also, there must be at least one match identity command defined in the ISAKMP profile for it to be complete. After enabling this command and entering ISAKMP profile configuration mode, you can configure the following commands:
accountingEnables authentication, authorization, and accounting (AAA) accounting. ca trust-pointSpecifies certificate authorities. clientSpecifies client configuration settings.
Cisco IOS Release: Multiple releases (see the Feature Information table)
35
defaultLists subcommands for the crypto isakmp profile command. descriptionSpecifies a description of this profile. initiate modeInitiates a mode. isakmp authorizationISAKMP authorization parameters. keepaliveSets a keepalive interval. keyringSpecifies a keyring. local-addressSpecifies the interface to use as the local address of this ISAKMP profile. matchMatches the values of the peer. qos-groupApplies a quality of service (QoS) policy class map for this profile. self-identitySpecifies the identity. virtual-templateSpecifies the virtual template for the dynamic interface. vrfSpecifies the Virtual Private Network routing and forwarding (VRF) instance to which the profile is related.
Use this command to audit multiple user sessions that are terminating on the IPSec gateway.
Note
The crypto isakmp profile command and the crypto map (global IPSec) command are mutually exclusive. If a profile is present (the crypto isakmp profile command has been used), with no accounting configured but with the global command present (the crypto isakmp profile command without the accounting keyword), accounting will occur using the attributes in the global command.
Dynamic Virtual Tunnel Interfaces
Support for dynamic virtual tunnel interfaces allows for the virtual profile to be mapped into a specified virtual template.
Examples
The following example shows how to define an ISAKMP profile and match the peer identities:
crypto isakmp profile vpnprofile match identity address 10.76.11.53
Cisco IOS Release: Multiple releases (see the Feature Information table)
36
isakmp authorization list cisco-client client configuration address respond accounting acc ! crypto dynamic-map dynamic 1 set transform-set aswan set isakmp-profile cisco reverse-route ! ! radius-server host 172.16.1.4 auth-port 1645 acct-port 1646 radius-server key nsite
Related Commands
Description Enters crypto map configuration mode and creates or modifies a crypto map entry, creates a crypto profile that provides a template for configuration of dynamically created crypto maps, or configures a client accounting list. Displays messages about IKE events. Matches an identity from a peer in an ISAKMP profile. Associates a tunnel interface with an IP Security (IPsec) profile. Specifies which virtual template to be used to clone virtual access interfaces.
Cisco IOS Release: Multiple releases (see the Feature Information table)
37
interface virtual-template
To create a virtual template interface that can be configured and applied dynamically in creating virtual access interfaces, use the interface virtual-template command in global configuration mode. To remove a virtual template interface, use the no form of this command. interface virtual-template number no interface virtual-template number
Syntax Description
number
Number used to identify the virtual template interface. Up to 200 virtual template interfaces can be configured.
Command Default
Command Modes
Global configuration
Command History
Modification This command was introduced. This command was enhanced to increase the maximum number of virtual template interfaces from 25 to 200. This command was integrated into Cisco IOS Release 12.2(28)SB. This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
A virtual template interface is used to provide the configuration for dynamically created virtual access interfaces. It is created by users and can be saved in NVRAM. After the virtual template interface is created, it can be configured in the same way as a serial interface. Virtual template interfaces can be created and applied by various applications such as virtual profiles, virtual private dialup networks (VPDNs), PPP over ATM, protocol translation, and Multichassis Multilink PPP (MMP).
Examples
The following example shows how to configure a virtual template for an IPsec virtual tunnel interface.
interface virtual-template1 type tunnel
Cisco IOS Release: Multiple releases (see the Feature Information table)
38
ip unnumbered Loopback1 tunnel mode ipsec ipv4 tunnel protection ipsec profile virtualtunnelinterface
Related Commands
Description Associates a tunnel interface with an IPsec profile. Sets the zone name for the connected AppleTalk network. Specifies the destination for a tunnel interface.
Cisco IOS Release: Multiple releases (see the Feature Information table)
39
show vtemplate
To display information about all configured virtual templates, use the show vtemplate command in privileged EXEC mode. show vtemplate
Syntax Description
Command Modes
Privileged EXEC
Command History
Modification This command was introduced on the Cisco 6400 NRP. This command was integrated into Cisco IOS Release 12.2(13)T. The show display was modified to display the interface type of the virtual template and to provide counters on a per-interface-type basis for IPsec virtual tunnel interfaces. This comand was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SRA
Examples
Cisco IOS Release: Multiple releases (see the Feature Information table)
40
Total create or clone requests: 0 Current request queue size: 0 Current free pending: 0 Maximum request duration: 0 msec Average request duration: 0 msec Last request duration: 0 msec Maximum processing duration: 0 msec Average processing duration: 0 msec Last processing duration: 0 msec Last processing duration:0 msec
Field Virtual access subinterface creation is globally... Active Interface Active Subinterface Subint Capable Pre-clone Available Pre-clone Limit Current in use Current free Total Cumulative created Cumulative freed Base virtual-access interfaces
Description The configured setting of the virtual-template command. Virtual access subinterface creation may be enabled or disabled. The number of virtual access interfaces that are cloned from the specified virtual template. The number of virtual access subinterfaces that are cloned from the specified virtual template. Specifies if the configuration of the virtual template is supported on the virtual access subinterface. The number of precloned virtual access interfaces currently available for use for the particular virtual template. The number of precloned virtual access interfaces available for that particular virtual template. The number of virtual access interfaces and subinterfaces that are currently in use. The number of virtual access interfaces and subinterfaces that are no longer in use. The total number of virtual access interfaces and subinterfaces that exist. The number of requests for a virtual access interface or subinterface that have been satisfied. The number of times that the application using the virtual access interface or subinterface has been freed. This field specifies the number of base virtual access interfaces. The base virtual access interface is used to create virtual access subinterfaces. There is one base virtual access interface per application that supports subinterfaces. A base virtual access interface can be identified from the output of the show interfaces virtual-access command. The number of requests that have been made through the asynchronous request API of the virtual template manager. The number of items in the virtual template manager work queue.
Cisco IOS Release: Multiple releases (see the Feature Information table)
41
Table 1
Description The number of virtual access interfaces whose final freeing is pending. These virtual access interfaces cannot currently be freed because they are still in use. The maximum time that it took from the time that the asynchronous request was made until the application was notified that the request was done. The average time that it took from the time that the asynchronous request was made until the application was notified that the request was done. The time that it took from the time that the asynchronous request was made until the application was notified that the request was done for the most recent request. The maximum time that the virtual template manager spent satisfying the request. The average time that the virtual template manager spent satisfying the request. The time that the virtual template manager spent satisfying the request for the most recent request.
Related Commands
Description Displays status, traffic data, and configuration information about a specified virtual access interface. Specifies which virtual template will be used to clone virtual access interfaces.
Cisco IOS Release: Multiple releases (see the Feature Information table)
42
tunnel mode
To set the encapsulation mode for the tunnel interface, use the tunnel mode command in interface configuration mode. To restore the default mode, use the no form of this command. tunnel mode {aurp | cayman | dvmrp | eon | gre | gre multipoint | gre ipv6 | ipip [decapsulate-any] | ipsec ipv4 | iptalk | ipv6 | ipsec ipv6 | mpls | nos | rbscp} no tunnel mode
Syntax Description
aurp cayman dvmrp eon gre gre multipoint gre ipv6 ipip decapsulate-any
AppleTalk Update-Based Routing Protocol. Cayman TunnelTalk AppleTalk encapsulation. Distance Vector Multicast Routing Protocol. EON compatible Connectionless Network Protocol (CLNS) tunnel. Generic routing encapsulation (GRE) protocol. This is the default. Multipoint GRE (mGRE). GRE tunneling using IPv6 as the delivery protocol. IP-over-IP encapsulation. (Optional) Terminates any number of IP-in-IP tunnels at one tunnel interface. This tunnel will not carry any outbound traffic; however, any number of remote tunnel endpoints can use a tunnel configured this way as their destination.
Tunnel mode is IPSec, and the transport is IPv4. Apple IPTalk encapsulation. Static tunnel interface configured to encapsulate IPv6 or IPv4 packets in IPv6. Tunnel mode is IPSec, and the transport is IPv6. Multiprotocol Label Switching (MPLS) encapsulation. KA9Q/NOS compatible IP over IP. Rate Based Satellite Control Protocol (RBSCP).
Command Defaults
GRE tunneling
Command Modes
Interface configuration
Command History
Modification This command was introduced. The aurp, dvmrp, and ipip keywords were added. The optional decapsulate-any keyword was added. The gre multipoint keyword was added.
Cisco IOS Release: Multiple releases (see the Feature Information table)
43
Release 12.3(7)T
gre ipv6 to support GRE tunneling using IPv6 as the delivery protocol. ipv6 to allow a static tunnel interface to be configured to encapsulate IPv6 or IPv4 packets in IPv6. rbscp to support RBSCP.
The ipsec ipv4 keyword was added. The gre multipoint keyword added. This command was integrated into Cisco IOS Release 12.2(30)S. The ipsec ipv6 keyword was added. This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
You cannot have two tunnels that use the same encapsulation mode with exactly the same source and destination address. The workaround is to create a loopback interface and source packets off of the loopback interface.
Cayman Tunneling
Designed by Cayman Systems, Cayman tunneling implements tunneling to enable Cisco routers to interoperate with Cayman GatorBoxes. With Cayman tunneling, you can establish tunnels between two routers or between a Cisco router and a GatorBox. When using Cayman tunneling, you must not configure the tunnel with an AppleTalk network address.
DVMRP
Use DVMRP when a router connects to an mrouted (multicast) router to run DVMRP over a tunnel. You must configure Protocol Independent Multicast (PIM) and an IP address on a DVMRP tunnel.
GRE with AppleTalk
GRE tunneling can be done between Cisco routers only. When using GRE tunneling for AppleTalk, you configure the tunnel with an AppleTalk network address. Using the AppleTalk network address, you can ping the other end of the tunnel to check the connection.
Multipoint GRE
After enabling mGRE tunneling, you can enable the tunnel protection command, which allows you to associate the mGRE tunnel with an IPSec profile. Combining mGRE tunnels and IPSec encryption allows a single mGRE interface to support multiple IPSec tunnels, thereby simplifying the size and complexity of the configuration.
Note
GRE tunnel keepalives configured using the keepalive command under a GRE interface are supported only on point-to-point GRE tunnels.
RBSCP
RBSCP tunneling is designed for wireless or long-distance delay links with high error rates, such as satellite links. Using tunnels, RBSCP can improve the performance of certain IP protocols, such as TCP and IPSec, over satellite links without breaking the end-to-end model.
Cisco IOS Release: Multiple releases (see the Feature Information table)
44
IPv6 IPSec encapsulation provides site-to-site IPSec protection of IPv6 unicast and multicast traffic. This feature allows IPv6 routers to work as a security gateway, establishes IPSec tunnels between another security gateway router, and provides crypto IPSec protection for traffic from an internal network when being transmitting across the public IPv6 Internet. IPv6 IPSec is very similar to the security gateway model using IPv4 IPsec protection.
Examples
Cayman Tunneling
GRE Tunneling
The following example shows how to configure a tunnel using IPSec encapsulation with IPv4 as the transport mechanism:
Router(config)# crypto ipsec profile PROF Router(config)# set transform tset ! Router(config)# interface Tunnel0 Router(config-if)# ip address 10.1.1.1 255.255.255.0 Router(config-if)# tunnel mode ipsec ipv4 Router(config-if)# tunnel source Loopback0 Router(config-if)# tunnel destination 172.16.1.1 Router(config-if)# tunnel protection ipsec profile PROF
The following example shows how to configure an IPv6 IPSec tunnel interface:
Router(config)# interface tunnel 0 Router(config-if)# ipv6 address 2001:0DB8:1111:2222::2/64 Router(config-if)# tunnel destination 10.0.0.1 Router(config-if)# tunnel source Ethernet 0/0 Router(config-if)# tunnel mode ipsec ipv6 Router(config-if)# tunnel protection ipsec profile profile1
Cisco IOS Release: Multiple releases (see the Feature Information table)
45
RBSCP Tunneling
Related Commands
Description Sets the zone name for the connected AppleTalk network. Specifies the destination for a tunnel interface. Associates a tunnel interface with an IPSec profile. Sets the source address of a tunnel interface.
Cisco IOS Release: Multiple releases (see the Feature Information table)
46
virtual-template
To specify which virtual template will be used to clone virtual access interfaces, use the virtual-template command in VPDN group configuration mode. To remove the virtual template from a virtual private dial-up network (VPDN) group, use the no form of this command. virtual-template template-number no virtual-template
Syntax Description
template-number
Number of the virtual template that will be used to clone virtual access interfaces.
Command Defaults
Command Modes
Command History
Modification This command was introduced. This command was enhanced to enable PPPoE on ATM to accept dial-in PPP over Ethernet (PPPoE) sessions. This command was enhanced to allow IP per-user attributes to be applied to a Layer 2 Tunneling Protocol (L2TP) dial-out session.
Usage Guidelines
You must first enable a tunneling protocol on the VPDN group using the protocol (VPDN) command before you can enable the virtual-template command. Removing or modifying the protocol command will remove the virtual-template command from the VPDN group. Each VPDN group can clone only virtual access interfaces using one virtual template. If you enter a second virtual-template command on a VPDN group, it will replace the first virtual-template command. Table 1 lists the VPDN group commands under which the virtual-template command can be entered. Entering the VPDN group command starts VPDN group configuration mode. The table includes the command-line prompt for the VPDN group configuration mode and the type of service configured.
Table 2 VPDN Subgroups
Cisco IOS Release: Multiple releases (see the Feature Information table)
47
When the virtual-template command is entered under a request-dialout VPDN subgroup, IP and other per-user attributes can be applied to an L2TP dial-out session from an LNS. Before this command was enhanced, IP per-user configurations from authentication, authorization, and accounting (AAA) servers were not supported; the IP configuration would come from the dialer interface defined on the router. The enhanced virtual-template command works in a way similar to configuring virtual profiles and L2TP dial-in. The L2TP virtual access interface is first cloned from the virtual template, which means that configurations from the virtual template interface will be applied to the L2TP virtual access interface. After authentication, the AAA per-user configuration is applied to the virtual access interface. Because AAA per-user attributes are applied only after the user has been authenticated, the LNS must be configured to authenticate the dial-out user (configuration authentication is needed for this command). With the enhanced virtual-template command, all software components can now use the configuration present on the virtual access interface rather than what is present on the dialer interface. For example, IP Control Protocol (IPCP) address negotiation uses the local address of the virtual access interface as the router address while negotiating with the peer.
Examples
The following example enables the LNS to accept an L2TP tunnel from an L2TP access concentrator (LAC) named LAC2. A virtual access interface will be cloned from virtual template 1.
vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname LAC2
The following example enables PPPoE on ATM to accept dial-in PPPoE sessions. A virtual access interface for the PPP session is cloned from virtual template 1.
vpdn-group 1 accept-dialin protocol pppoe virtual-template 1
The following partial example shows how to configure an LNS to support IP per-user configurations from a AAA server:
! vpdn enable vpdn search-order domain ! vpdn-group 1
. . .
request-dialout protocol l2tp rotary-group 1 virtual-template 1 initiate-to ip 10.0.1.194.2 local name lns l2tp tunnel password 7094F3$!5^3 source-ip 10.0.194.53 !
Cisco IOS Release: Multiple releases (see the Feature Information table)
48
IPsec Virtual Tunnel Interface Feature Information for IPsec Virtual Tunnel Interfaces
The previous configuration requires a AAA profile such as the following example to specify the per-user attributes:
5300-Router1-out Password = "cisco" Service-Type = Outbound cisco-avpair = "outbound:dial-number=5550121" 7200-Router1-1 Password = "cisco" Service-Type = Outbound cisco-avpair = "ip:route=10.17.17.1 255.255.255.255 Dialer1 100 name 5300-Router1" 5300-Router1 Password = "cisco" Service-Type = Framed Framed-Protocol = PPP cisco-avpair = "lcp:interface-config=ip unnumbered loopback 0" cisco-avpair = "ip:outacl#1=deny ip host 10.5.5.5 any log" cisco-avpair = "ip:outacl#2=permit ip any any" cisco-avpair = "ip:inacl#1=deny ip host 10.5.5.5 any log" cisco-avpair = "ip:inacl#2=permit ip any any" cisco-avpair = "multilink:min-links=2" Framed-Route = "10.5.5.6/32 Ethernet4/0" Framed-Route = "10.5.5.5/32 Ethernet4/0" Idle-Timeout = 100
Related Commands
Description Configures an LNS to accept tunneled PPP connections from a LAC and to create an accept-dialin VPDN subgroup. Specifies the Layer 2 Tunneling Protocol that the VPDN subgroup will use. Enables an LNS to request VPDN dial-out calls by using L2TP and to create a request-dialout VPDN subgroup. Defines a local, unique group number identifier.
Note
Table 3 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Cisco IOS Release: Multiple releases (see the Feature Information table)
49
IPsec Virtual Tunnel Interface Feature Information for IPsec Virtual Tunnel Interfaces
Table 3
Releases
12.3(7)T IPsec VTIs (VTIs) provide a routable interface type for 12.3(14)T terminating IPsec tunnels and an easy way to define 12.2(33)SRA protection between sites to form an overlay network. IPsec VTIs simplify configuration of IPsec for protection of remote links, support multicast, and simplify network management and load balancing. Static tunnel interfaces can be configured to encapsulate IPv6 or IPv4 packets in IPv6.
12.3(7)T 12.3(14)T
Dynamic VTIs provide efficiency in the use of IP addresses and provide secure connectivity. Dynamic VTIs allow dynamically downloadable per-group and per-user policies to be configured on a RADIUS server. The per-group or per-user definition can be created using Xauth User or Unity group, or it can be derived from a certificate. Dynamic VTIs are standards based, so interoperability in a multiple-vendor environment is supported. IPsec dynamic VTIs allow you to create highly secure connectivity for remote access VPNs and can be combined with Cisco Architecture for Voice, Video, and Integrated Data (AVVID) to deliver converged voice, video, and data over IP networks. The dynamic VTI simplifies VRF-aware IPsec deployment. The VRF is configured on the interface. This feature provides per-user attribute support on an Easy VPN server. The following sections provide information about this feature: Per-User Attribute Support for Easy VPN Servers section on page 7 The following commands were added or modified by this feature: crypto aaa attribute list and crypto isakmp client configuration group.
12.4(9)T
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)
Cisco IOS Release: Multiple releases (see the Feature Information table)
50
IPsec Virtual Tunnel Interface Feature Information for IPsec Virtual Tunnel Interfaces
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. 2005, 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Release: Multiple releases (see the Feature Information table)
51
IPsec Virtual Tunnel Interface Feature Information for IPsec Virtual Tunnel Interfaces
Cisco IOS Release: Multiple releases (see the Feature Information table)
52