Avantages of Using SVTI Based VPNs

Starting in version 12.3T (which is some time ago), Cisco started offering an alternative for configuring IOS based VPN’s. This method is called SVTI, or static virtual tunnel interfaces. SVTI is one category of VTI that is basically a configuration alternative for Lan to Lan VPNs. There is also a variant called DVTI, or dynamic virtual tunnel interface, that is a alternative for remote access VPNs. From the perspective of the wire, SVTI based VPN packets look similar to traditional “crypto-map” based VPN traffic. However, the configuration is based on a virtual interface as opposed to using crypto map based configuration. This virtual interface gives some distinct advantages. Additionally, the use of this configuration modifies the phase 2 sa’s to match all traffic. Any traffic steered through this virtual interface is encrypted based on an encryption profile.Before we get into the specific advantages, let’s first look at a VTI configuration example. I created a very simple example in GNS3 that demonstrates the syntax of the configuration.

In this example, traffic sent between the loopbacks will be encrypted and tunnelled between the tunnel interfaces. Here is the relevant configuration.

//R1 Configuration
interface Serial0/0
 ip address 1.1.1.1 255.255.255.0

interface Loopback1
 ip address 192.168.1.1 255.255.255.0

//VPN Phase 1
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key Cisco12345 address 1.1.1.2

//Phase 2 Transform Set
crypto ipsec transform-set MyTunnel esp-3des esp-sha-hmac 

//IPSec Profile
crypto ipsec profile MyProf
 set transform-set MyTunnel 

//Tunnel Interface
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 tunnel source 1.1.1.1
 tunnel destination 1.1.1.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile MyProf

//Routing Protocol--Yep it will work on this type of IPSec deployment
router eigrp 1
 network 10.0.0.0
 network 192.168.1.0

//R2 Configuration
interface Serial0/0
 ip address 1.1.1.2 255.255.255.0

interface Loopback1
 ip address 192.168.2.2 255.255.255.0

//VPN Phase 1
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key Cisco12345 address 1.1.1.1

//Phase 2 Transform Set
crypto ipsec transform-set MyTunnel esp-3des esp-sha-hmac 

//IPSec Profile
crypto ipsec profile MyProf
 set transform-set MyTunnel 

//Tunnel Interface
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 tunnel source 1.1.1.2
 tunnel destination 1.1.1.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile MyProf

//Routing Protocol
router eigrp 1
 network 10.0.0.0
 network 192.168.2.0

So what are the advantages of this type of configuration? To address this question, we need to consider two possible alternative configurations. The first would be using a traditional crypto-map based configuration. In comparison, the SVTI configuration offers a virtual interface. This is really a convenient and natural place to configure things like ACL’s and other interface specific options. It also gives us the ability to do NAT in a less complex manner. Another major benefit is the ability to send multicast traffic. This ability to use dynamic routing protocols is a serious limitation in traditional IPSec configurations. From the wire, everything still appears to be ESP (protocol 50) packets and there is no additional packet overhead when compared to crypto-map based configurations.

Another configuration that SVTI’s should be compared to is GRE based tunnels. GRE tunnels can be configured with the same connection protection and basically the same advantages. Unlike VTI, GRE can additionally handle non IP traffic. The only disadvantage to GRE is an additional header. This results in larger packets and can minimally increase the bandwidth requirements. Although changing the IPSec to operate in achieve“transport” mode can minimize the effect, the packets will still be slightly larger than crypto-map or VTI based configurations.

In summary, VTI is really cool for a few reasons. It gives us a simpler and more understandable configuration syntax. It simplifies NAT, ACLs and other interface specific configurations. Additionally, the ability to carry dynamic routing protocols is often a required feature. The main disadvantage to VTI is its lack of support. Currently it is supported on Cisco IOS based devices. So for those of us that love the ASA, we can only wait and hope that this support will someday be added.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in CCIE Security, Certification, Network, Security, Technology and tagged , , , , . Bookmark the permalink.

6 Responses to Avantages of Using SVTI Based VPNs

  1. Elvin Arias says:

    Another behavior is that the state of the SVTI is totally dependent of the IKE/IPsec phases respectively, so the SVTI interface will be up if everything is fine from the perspective of the hashing, encryption, and other IPsec parameters. Besides of that the tunnel is established as soon as the parameters are completed on the SVTI interface (s), this is something very important to note, since traditional “crypto-map”-based VPNs were more “reactive” from the traffic perspective than proactive (which in this case is inmediatly establish). You can also use the “ip unnumbered” interface feature with this SVTI which is good for enviroments where we need to reserve IP addressing space.

    Thanks for this article,

    Elvin

    • You know, that is a very good point. Crypto base IPSec is more like a policy to be applied to traffic flowing through an interface. SVTI truly functions as a virtual interface. I’ve always found the virtual interface easier to understand.

      • Elvin Arias says:

        Agreed. The SVTIs is the best method to configure site-to-site VPNs and VERY small hub-and-spoke topologies (if is bigger DVTIs could be an option). The SVTIs are like normal routing interfaces, since we can apply QoS, NetFlow, and other features.

        Waiting for more articles.

        Thanks,

        Elvin

  2. Pingback: Internets of Interest for 9th May 2012 — My EtherealMind

  3. Maiquel says:

    Hi Paul,
    the crypto isakmp key Cisco12345 address 1.1.1.2 of 2 router its wrong. Should be crypto isakmp key Cisco12345 address 1.1.1.1

    :D

Leave a Reply