Fragmentation is not supported over IPsec tunnel. You can choose to set the lower MTU on hosts to avoid packet fragments
or choose to fragment the packets on any device before it reaches ASR 920.
IPsec Transform Set
The IPsec transform
set must be configured in tunnel mode only.
The Internet Key
Exchange (IKE) security association (SA) is bound to the VTI.
Therefore, the same IKE SA cannot be used for a crypto map.
IPsec SA Traffic
By default, Static VTIs (SVTIs) support only a single IPSec SA that is attached to the virtual tunnel interface. The traffic
selector for the IPsec SA is always “IP any any”.
From 16.12.1, configure and associate an Access Control List (ACL) with an SVTI to define traffic selectors other than the
default traffic selector for ‘IP any any’. IPSec SAs are attached to the SVTI for each defined traffic selector. Do not define
an ACL for selecting ‘IP any any’ traffic; use the default SVTI behaviour instead.
A dynamic VTI (DVTIs) is also a point-to-point interface that
can support multiple IPsec SAs. The DVTI can accept the multiple IPsec
selectors that are proposed by the initiator.
Traffic Selector Narrowing Down
VTIs do not support traffic selector narrowing down.
and IPv6 Packets
supports SVTIs that are configured to encapsulate IPv4 packets
or IPv6 packets, but IPv4 packets cannot carry IPv6 packets and
IPv6 packets cannot carry IPv4 packets.
SVTIs support only
the “IP any any” proxy.
multiple proxies, but DVTIs do not allow mixing “any any” proxies with non-“any
any” proxies. DVTIs permit only one type of proxy at a time, either a single
“any any” proxy or multiple “no any any” proxies.
failover is not supported with IPSec VTIs.
Static VTIs Versus GRE
The IPsec VTI is
limited to the IP unicast and multicast traffic only, as opposed to Generic
Routing Encapsulation (GRE) tunnels, which have a wider application for IPSec
Single Template Model
In the single
template model, the VPN routing and forwarding (VRF) is configured in the
ISAKMP profile. In this model, each virtual access that is created belongs to
the internal VRF (IVRF) specified in the ISAKMP profile. But because the IP
address of the virtual access is derived from the interface to which the
virtual access is unnumbered to, the IP address of the interface will not be
available in the virtual access routing table. This happens because the
unnumbered interface does not belong to the IVRF routing table of the virtual
access. In such cases, a ping to the virtual access IP address fails.
Do not configure
when using the
tunnel mode ipsec
ipv4 command for IPsec IPv4 mode.
The traceroute function with crypto offload on VTIs is not supported.
Virtual Template Lock
CSCtt26236, virtual template lock allows you to modify or delete a virtual
template of type tunnel only when the virtual template is not associated with
any cloned virtual access interfaces. The virtual template lock prevents
dynamic command updates from virtual templates to the cloned virtual access
interfaces, which can cause instability in some scenarios.
If you try to modify
or delete an active virtual template of type tunnel, the following error
Device(config)# interface virtual-template 1
% Virtual-template config is locked, active vaccess present
Although the virtual
template cannot be modified when the virtual template is associated with a
virtual access interface, perform the following steps to modify an existing
virtual template configuration:
Configure a new virtual template interface. For more information, see the Configuring Dynamic IPsec Virtual Tunnel Interfaces section.
new virtual template to the IKEv2 profile. For more information, see the
IKEv2 Profile (Basic) module.
Clear the active
sessions using the
session command or wait for session termination.
The new session will
use the new virtual template.
VPN routing and
forwarding (VRF) must not be configured in the Internet Security Association
and Key Management Protocol (ISAKMP) profile in VRF-aware IPsec configurations
with either SVTIs or DVTIs. Instead, the VRF must be configured on the tunnel
interface for SVTIs. For DVTIs, you must apply the VRF to the virtual template
You must include the
VRF in the
command when using the local address with VRF in the ISAKMP profile and
IPsec Mixed mode support fosr VTspag-rel318Is
Mixed mode is not
Mixed mode is not
tunnel protection ipsec