This document provides a sample configuration for enhanced Cisco® Easy VPN Server and Easy VPN Remote configuration using the IPSec Dynamic Virtual Tunnel Interface (DVTI). Cisco Easy VPN Remote is configured with User Extension Mode and is assigned a dynamic IP address from the Easy VPN Server. Cisco Easy VPN with DVTI configuration provides a routable interface for forwarding traffic based on IP routing tables. Cisco Easy VPN uses a virtual access interface, which is created during the initial configuration. The VPN traffic is forwarded to the virtual access interface for encryption and then sent out of the physical interface. This sample configuration also demonstrates the use of quality of service (QoS) with virtual tunnel interfaces.
Figure 1 shows the sample configuration.
Figure 1. Cisco Easy VPN Configuration with IPSec DVTI
Cisco Easy VPN with DVTI
Cisco DVTI is a new method that can be used by customers with Cisco Easy VPN for both the Server and Remote configuration. The tunnels provide an on-demand separate virtual access interface for each Easy VPN connection. The configuration of the virtual access interfaces is cloned from a virtual template configuration, which includes the IPSec configuration and any Cisco IOS
® Software feature configured on the virtual template interface, such as QoS, NetFlow, or access control lists (ACLs).
With IPSec DVTIs and Cisco Easy VPN, users can provide highly secure connectivity for remote-access VPNs that can be combined with Cisco AVVID (Architecture for Voice, Video and Integrated Data) to deliver converged voice, video, and data over IP networks.
• Simplifies Management: Customers can use the Cisco IOS virtual template to clone, on demand, new virtual access interfaces for IPSec, thus simplifying VPN configuration complexity, which translates into reduced costs. In addition, existing management applications now can monitor separate interfaces for different sites for monitoring purposes.
• Provides a Routable Interface: Cisco IPSec VTIs can support all types of IP routing protocols. Customers can use these capabilities to connect larger office environments, such as branch offices.
• Improves Scaling: IPSec VTIs use single security associations per site, which cover different types of traffic, enabling improved scaling.
• Offers Flexibility in Defining Features: An IPSec VTI is an encapsulation within its own interface. This offers flexibility of defining features for clear-text traffic on IPSec VTIs, and defining features for encrypted traffic on physical interfaces.
The Cisco Easy VPN with DVTI configuration provides a routable interface to selectively send traffic to different destinations, such as an Easy VPN concentrator, a different site-to-site peer, or the Internet. IPSec DVTI configuration does not require a static mapping of IPSec sessions to a physical interface. This allows for the flexibility of sending and receiving encrypted traffic on any physical interface, such as in the case of multiple paths. Traffic is encrypted when it is forwarded from or to the tunnel interface.
The traffic is forwarded to or from the tunnel interface by virtue of the IP routing table. Routes are dynamically learned during Internet Key Exchange (IKE) Mode Configuration and inserted into the routing table pointing to the DVTI. Dynamic IP routing can be used to propagate routes across the VPN. Using IP routing to forward the traffic to encryption simplifies the IPSec VPN configuration when compared with using ACLs with the crypto map in native IPSec configuration.
Before Cisco IOS Release 12.4(2)T, at the tunnel-up/tunnel-down transition, attributes that were pushed during the mode configuration had to be parsed and applied. When such attributes resulted in the configurations being applied on the interface, the existing configuration had to be overridden. With the Dynamic Virtual Tunnel Interface Support feature, the tunnel-up configuration can be applied to separate interfaces, making it easier to support separate features at tunnel-up time. Features that are applied to the traffic (before encryption) going into the tunnel can be separate from the features that are applied to traffic that is not going through the tunnel (for example, split-tunnel traffic and traffic leaving the device when the tunnel is not up).
When the Easy VPN negotiation is successful, the line protocol state of the virtual access interface gets changed to up. When the Easy VPN tunnel goes down because the security association expires or is deleted, the line protocol state of the virtual access interface changes to down.
The routing tables act as traffic selectors in an Easy VPN virtual interface configuration-that is, the routes replace the access list on the crypto map. In a virtual interface configuration, Easy VPN negotiates a single IPSec security association if the Easy VPN Server has been configured with an IPSec DVTI. This single security association is created regardless of the Easy VPN mode that is configured.
After the security association is established, routes that point to the virtual access interface are added to direct traffic to the corporate network. Easy VPN also adds a route to the VPN concentrator so that IPSec-encapsulated packets get routed to the corporate network. A default route that points to the virtual access interface is added in the case of a nonsplit mode. When the Easy VPN server "pushes" the split tunnel, the split tunnel subnet becomes the destination to which the routes that point to the virtual access are added. In either case, if the peer (VPN concentrator) is not directly connected, Easy VPN adds a route to the peer.
Note: Most routers that run the Cisco Easy VPN Client software have a default route configured. The default route that is configured must have a metric value greater than 1-Easy VPN adds a default route that has a metric value of 1. The route points to the virtual access interface so that all traffic is directed to the corporate network when the concentrator does not "push" the split tunnel attribute.
QoS can be used to improve the performance of different applications across the network. In this configuration, traffic shaping is used between the two sites to limit the total amount of traffic that should be transmitted between the sites. Additionally, the QoS configuration can support any combination of QoS features offered in Cisco IOS Software, to support any of the voice, video, or data applications.
A link to more information about IPSec DVTI is provided in the Related Information section of this document.
This guide provides a sample of Easy VPN configuration with DVTI configuration only. It does not cover the following configurations:
• Full security audit on the router. It is recommended that users run a Cisco Router and Security Device Manager (SDM) security audit in Wizard Mode to lock down and secure the router.
• An initial router configuration step is not shown in the steps. The full configuration is shown in the following section.
• This configuration guide enables split tunneling. The split tunneling is enabled on the hub by the ACL 101 command under the crypto isakmp client configuration mode. To disable the split tunneling on the remote, remove the ACL command from the Easy VPN Server. The spoke is configured with Port Address Translation (PAT) to provide connectivity over the Internet.
• This configuration uses User Extension Mode. For details on configuring this mode, please review Cisco Easy VPN Remote or Server documentations.
• This configuration does not include multicast.
DVTI is only supported in the context of Enhanced Easy VPN. Routing with DVTIs is not supported or recommended. A DVTI interface on the headend router cannot terminate on an SVTI interface on the remote peer. An SVTI interface can only terminate on another SVTI interface.
The sample configuration uses the following releases of the software and hardware:
The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default) configuration. If you are working in a live network, it is imperative to understand the potential impact of any command before implementing it.