ipsec virtual tunnel interface

Corporate Headquarters:Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Copyright © 2005, 2006 Cisco Systems, Inc. All rights reserved.

IPsec Virtual Tunnel Interface

First Published: October 18, 2004Last Updated: August 1, 2006

IP security (IPsec) virtual tunnel interfaces (VTIs) provide a routable interface type for terminatingIPsec tunnels and an easy way to define protection between sites to form an overlay network. IPsec VTIssimplify configuration of IPsec for protection of remote links, support multicast, and simplify networkmanagement and load balancing.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all of the features documented in this module. To reachlinks to specific feature documentation in this module and to see a list of the releases in which eachfeature is supported, use the“Feature Information for IPsec Virtual Tunnel Interfaces” section onpage 49.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software imagesupport. Access Cisco Feature Navigator athttp://www.cisco.com/go/fn. You must have an account onCisco.com. If you do not have an account or have forgotten your username or password, click Cancel atthe login dialog box and follow the instructions that appear.

Contents• Restrictions for IPsec Virtual Tunnel Interface, page 2

• Information About IPsec Virtual Tunnel Interfaces, page 2

• How to Configure IPsec Virtual Tunnel Interfaces, page 8

• Configuration Examples for IPsec Virtual Tunnel Interfaces, page 13

• Additional References, page 26

• Command Reference, page 27

• Feature Information for IPsec Virtual Tunnel Interfaces, page 49

IPsec Virtual Tunnel Interface Restrictions for IPsec Virtual Tunnel Interface

2Cisco IOS Release: Multiple releases (see the Feature Information table)

Restrictions for IPsec Virtual Tunnel InterfaceIPsec Transform Set

The IPsec transform set must be configured in tunnel mode only.

IKE Security Association

The Internet Key Exchange (IKE) security association (SA) is bound to the VTI. Because IKE SA isbound to the VTI, the same IKE SA cannot be used for a crypto map.

Proxy

Static VTIs support only IP ANY ANY proxies.

Only one proxy is supported with VTI.

Dynamic VTIs, on the other hand, support more than one proxy.

QoS Traffic Shaping

The shaped traffic is process switched.

Stateful Failover

IPsec stateful failover is not supported with IPsec VTIs.

Tunnel Protection

Thesharedkeyword is not required and must not be configured when using thetunnel mode ipsec ipv4command for IPsec IPv4 mode.

Static VTIs Versus GRE Tunnels

The IPsec VTI is limited to IP unicast and multicast traffic only, as opposed to GRE tunnels, which havea wider application for IPsec implementation.

VRF-Aware IPsec Configuration

In VRF-aware IPsec configurations with either static or dynamic VTIs (DVTIs), the VRF mustnot beconfigured in the Internet Security Association and Key Management Protocol (ISAKMP) profile.Instead, the VRF must be configured on the tunnel interface for static VTIs. For DVTIs, you must applyVRF to the vtemplate using theip vrf forwarding command.

Information About IPsec Virtual Tunnel InterfacesThe use of IPsec VTIs both greatly simplifies the configuration process when you need to provideprotection for remote access and provides a simpler alternative to using generic routing encapsulation(GRE) or Layer 2 Tunneling Protocol (L2TP) tunnels for encapsulation and crypto maps with IPsec. Amajor benefit associated with IPsec VTIs is that the configuration does not require a static mapping ofIPsec sessions to a physical interface. The IPsec tunnel endpoint is associated with an actual (virtual)interface. Because there is a routable interface at the tunnel endpoint, many common interfacecapabilities can be applied to the IPsec tunnel.

The IPsec VTI allows for the flexibility of sending and receiving both IP unicast and multicast encryptedtraffic on any physical interface, such as in the case of multiple paths. Traffic is encrypted or decryptedwhen it is forwarded from or to the tunnel interface and is managed by the IP routing table. Dynamic orstatic IP routing can be used to route the traffic to the virtual interface. Using IP routing to forward the

IPsec Virtual Tunnel Interface Information About IPsec Virtual Tunnel Interfaces


traffic to the tunnel interface simplifies the IPsec VPN configuration compared to the more complexprocess of using access control lists (ACLs) with the crypto map in native IPsec configurations. DVTIsfunction like any other real interface so that you can apply quality of service (QoS), firewall, and othersecurity services as soon as the tunnel is active.

Without Virtual Private Network (VPN) Acceleration Module2+ (VAM2+) accelerating virtualinterfaces, the packet traversing an IPsec virtual interface is directed to the router processor (RP) forencapsulation. This method tends to be slow and has limited scalability. In hardware crypto mode, allthe IPsec VTIs are accelerated by the VAM2+ crypto engine, and all traffic going through the tunnel isencrypted and decrypted by the VAM2+.

The following sections provide details about the IPsec VTI:

• Benefits of Using IPsec Virtual Tunnel Interfaces, page 3

• Routing with IPsec Virtual Tunnel Interfaces, page 3

• Static Virtual Tunnel Interfaces, page 4

• Dynamic Virtual Tunnel Interfaces, page 4

• Dynamic Virtual Tunnel Interface Life Cycle, page 5

• Traffic Encryption with the IPsec Virtual Tunnel Interface, page 5

• Per-User Attribute Support for Easy VPN Servers, page 7

Benefits of Using IPsec Virtual Tunnel InterfacesIPsec VTIs allow you to configure a virtual interface to which you can apply features. Features forclear-text packets are configured on the VTI. Features for encrypted packets are applied on the physicaloutside interface.When IPsec VTIs are used, you can separate the application of features such as NAT,ACLs, and QoS and apply them to clear-text or encrypted text, or both. When crypto maps are used, thereis no simple way to apply encryption features to the IPsec tunnel.

Routing with IPsec Virtual Tunnel InterfacesBecause VITs are routable interfaces, routing plays an important role in the encryption process. Trafficis encrypted only if it is forwarded out of the VTI, and traffic arriving on the VTI is decrypted and isrouted accordingly. VTIs allow you to establish an encryption tunnel using a real interface as the tunnelendpoint. You can route to the interface or apply services such as QoS, firewalls, network addresstranslation, and Netflow statistics as you would to any other interface. You can monitor the interface,route to it, and it has an advantage over crypto maps because it is a real interface and provides thebenefits of any other regular Cisco IOS interface. In addition, the VTI encrypts traffic that is sent to it.

You can enable routing protocols on the tunnel interface so that routing information can be propagatedover the virtual tunnel. The router can establish neighbor relationships over the VTI. Multicast packetscan be encrypted, and interoperability with standard-based IPsec installations is possible because thestatic IPsec VTI will negotiate and acceptpermit IP ANY ANY proxies.

There are two types of VTI interfaces: static VTI (SVTIs) and dynamic VTI (DVTIs).



Static Virtual Tunnel InterfacesSVTI configurations can be used for site-to-site connectivity in which a tunnel provides always-onaccess between two sites. The advantage of using SVTIs as opposed to crypto map configurations is thatusers can enable dynamic routing protocols on the tunnel interface without the extra 4 bytes required forGRE headers, thus reducing the bandwidth for sending encrypted data.

Additionally, multiple Cisco IOS software features can be configured directly on the tunnel interfaceand on the physical egress interface of the tunnel interface. This direct configuration allows users to havesolid control on the application of the features in the pre- or post-encryption path.

Figure 1 illustrates how a static VTI is used.

Figure 1 IPsec Static VTI

The IPsec VTI supports native IPsec tunneling and exhibits most of the properties of a physical interface.

Dynamic Virtual Tunnel InterfacesDVTIs can provide highly secure and scalable connectivity for remote-access VPNs. The DVTItechnology replaces dynamic crypto maps and the dynamic hub-and-spoke method for establishingtunnels.

Dynamic VTIs can be used for both the server and remote configuration. The tunnels provide an on-demandseparate virtual access interface for each VPN session. The configuration of the virtual access interfacesis cloned from a virtual template configuration, which includes the IPsec configuration and anyCisco IOS software feature configured on the virtual template interface, such as QoS, NetFlow, or ACLs.

DVTIs function like any other real interface so that you can apply QoS, firewall, other security servicesas soon as the tunnel is active. QoS features can be used to improve the performance of variousapplications across the network. Any combination of QoS features offered in Cisco IOS software can beused to support voice, video, or data applications.

Dynamic VTIs provide efficiency in the use of IP addresses and provide secure connectivity. DynamicVTIs allow dynamically downloadable per-group and per-user policies to be configured on a RADIUSserver. The per-group or per-user definition can be created using extended authentication (Xauth) Useror Unity group, or it can be derived from a certificate. Dynamic VTIs are standards based, sointeroperability in a multiple-vendor environment is supported. IPsec dynamic VTIs allow you to create

12

79

61

Tunnel 0

192.168.100.0/30

192.168.2.0/24

.1

.1 .1

.2

192.168.1.0/24192.168.1.0/24 192.168.2.0/24192.168.2.0/24192.168.2.0/24



highly secure connectivity for remote access VPNs and can be combined with Cisco Architecture forVoice, Video, and Integrated Data (AVVID) to deliver converged voice, video, and data over IP networks.The dynamic VTI simplifies Virtual Private Network (VRF) routing and forwarding- (VRF-) aware IPsecdeployment. The VRF is configured on the interface.

A dynamic VTI requires minimal configuration on the router. A single virtual template can be configuredand cloned.

The dynamic VTI creates an interface for IPsec sessions and uses the virtual template infrastructure fordynamic instantiation and management of dynamic IPsec VTIs. The virtual template infrastructure isextended to create dynamic virtual-access tunnel interfaces. Dynamic VTIs are used in hub-and-spokeconfigurations. A single dynamic VTI can support several static VTIs. Decisions are made throughrouting updates.Figure 2 illustrates the dynamic VTI authentication path.

Figure 2 Dynamic IPsec VTI

The authentication shown inFigure 2 follows this path:

1. User 1 calls the router.

2. Router 1 authenticates User 1.

3. IPsec clones virtual access interface from virtual template interface.

Dynamic Virtual Tunnel Interface Life CycleIPsec profiles define policy for dynamic VTIs. The dynamic interface is created at the end ofIKE Phase 1 and IKE Phase 1.5. The interface is deleted when the IPsec session to the peer is closed.The IPsec session is closed when both IKE and IPsec SAs to the peer are deleted.

Traffic Encryption with the IPsec Virtual Tunnel InterfaceWhen an IPsec VTI is configured, encryption occurs in the tunnel. Traffic is encrypted when it isforwarded to the tunnel interface. Traffic forwarding is handled by the IP routing table, and dynamic orstatic IP routing can be used to route the traffic to the VTI. Using IP routing to forward the traffic to

1

2

3

3Single User Client

with ISDN Card

Single User Client

User 1Remote LAN Bridge/ Router

ISDN

DSL

Physicalinterface

Router

auth

Localauthorization

Virtualtemplateinterface

Virtualaccess

interface

1356

32



encryption simplifies the IPsec VPN configuration because the use of ACLs with a crypto map in nativeIPsec configurations is not required. The IPsec virtual tunnel also allows you to encrypt multicast trafficwith IPsec.

IPsec packet flow into the IPsec tunnel is illustrated inFigure 3.

Figure 3 Packet Flow into the IPsec Tunnel

After packets arrive on the inside interface, the forwarding engine switches the packets to the VTI, wherethey are encrypted. The encrypted packets are handed back to the forwarding engine, where they areswitched through the outside interface.

Figure 4 shows the packet flow out of the IPsec tunnel.

Outsideinterface

Forwardingengine

Cisco IOS router

VTIEncryption

IP

Clear-text IP packetsenter the router.

1.

4.

2.3. Packets are routedto virtual interface.

1279

59

Encrypted packets are forwarded to the forwarding engine.

Encrypted packetsare passed out of the physical outside interface.

Insideinterface

Insideinterface

Outsideinterface



Figure 4 Packet Flow out of the IPsec Tunnel

Per-User Attribute Support for Easy VPN ServersThe Per-User Attribute Support for Easy VPN Servers feature provides users with the ability to supportper-user atttributes on Easy VPN servers. These attributes are applied on the virtual access interface.

Local Easy VPN AAA Server

For a local Easy VPN AAA server, the per-user attributes can be applied at the group level or at the userlevel using the command-line interface (CLI).

To configure per-user attributes for a local Easy VPN server, see “Configuring Per-User Attributes on aLocal Easy VPN AAA Server.”

Remote Easy VPN AAA Server

Attribute value (AV) pairs can be defined on a remote Easy VPN AAA server as shown in this example:

cisco-avpair = “ip:outacl#101=permit tcp any any established

Per-User Attributes

The following per-user attributes are currently defined in the AAA server and are applicable to IPsec:

• inacl

• interface-config

• outacl

• route

• rte-fltr-in

Outsideinterface

Forwardingengine

Cisco IOS router

VTI

IP

IPsec encrypted packetsenter the router.

1.

4.

3.2.

1279

60

Forwarding engine determines it is a packet for us and sends it to IPsec for decryption.

Clear text packets are passed through physical interface.

Insideinterface

Insideinterface

Outsideinterface

IPsec decrypts the packets and associates to the VTI based on the SA information.

IPsecdecryption

IPsec Virtual Tunnel Interface How to Configure IPsec Virtual Tunnel Interfaces


• rte-fltr-out

• sub-policy-In

• sub-policy-Out

• policy-route

• prefix

How to Configure IPsec Virtual Tunnel Interfaces• Configuring Static IPsec Virtual Tunnel Interfaces, page 8

• Configuring Dynamic IPsec Virtual Tunnel Interfaces, page 10

• Configuring Per-User Attributes on a Local Easy VPN AAA Server, page 12

Configuring Static IPsec Virtual Tunnel InterfacesThis configuration shows how to configure a static IPsec VTI.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto IPsec profile profile-name

4. set transform-settransform-set-name

5. interface type number

6. ip addressaddress mask

7. tunnel mode ipsec ipv4

8. tunnel sourceinterface

9. tunnel destination ip-address

10. tunnel protection IPsec profileprofile-name [shared]



DETAILED STEPS

Command or Action Purpose

Step 1 enable

Example:Router> enable

Enables privileged EXEC mode.

• Enter your password if prompted.

Step 2 configure terminal

Example:Router# configure terminal

Enters global configuration mode.

Step 3 crypto IPsec profile profile-name

Example:Router(config)# crypto IPsec profile PROF

Defines the IPsec parameters that are to be used for IPsecencryption between two IPsec routers.

Step 4 set transform-set transform-set-name[ transform-set-name2 ... transform-set-name6 ]

Example:Router(config)# set transform-set tset

Specifies which transform sets can be used with the cryptomap entry.

Step 5 interface type number

Example:Router(config)# interface tunnel0

Specifies the interface on which the tunnel will beconfigured and enters interface configuration mode.

Step 6 ip address address mask

Example:Router(config-if)# ip address 10.1.1.1255.255.255.0

Specifies the IP address and mask.

Step 7 tunnel mode ipsec ipv4

Example:Router(config-if)# tunnel mode ipsec ipv4

Defines the mode for the tunnel.

Step 8 tunnel source interface

Example:Router(config-if)# tunnel source loopback0

Specifies the tunnel source as a loopback interface.



Configuring Dynamic IPsec Virtual Tunnel InterfacesThis task shows how to configure a dynamic IPsec VTI.

SUMMARY STEPS

1. enable


3. crypto IPsec profile profile-name

4. set transform-settransform-set-name

5. interface virtual-template number

6. tunnel modemode

7. tunnel protection IPsec profileprofile-name [shared]

8. exit

9. crypto isakamp profile profile-name

10. virtual-template template-number

DETAILED STEPS

Step 9 tunnel destination ip-address

Example:Router(config-if)# tunnel destination172.16.1.1

Identifies the IP address of the tunnel destination.

Step 10 tunnel protection IPsec profile profile-name[ shared ]

Example:Router(config-if)# tunnel protection IPsecprofile PROF

Associates a tunnel interface with an IPsec profile.



Step 1 enable









Step 3 crypto IPsec profile profile-name

Example:Router(config)# crypto IPsec profile PROF

Defines the IPsec parameters that are to be used for IPsecencryption between two IPsec routers.

Step 4 set transform-set transform-set-name[ transform-set-name2 ... transform-set-name6 ]

Example:Router(config)# set transform-set tset

Specifies which transform sets can be used with the cryptomap entry.

Step 5 interface virtual-template number

Example:Router(config)# interface virtual-template 2

Defines a virtual-template tunnel interface and entersinterface configuration mode.

Step 6 tunnel mode ipsec ipv4

Example:Router(config-if)# tunnel mode ipsec ipv4

Defines the mode for the tunnel.

Step 7 tunnel protection IPsec profile profile-name[ shared ]

Example:Router(config-if)# tunnel protection IPsecprofile PROF

Associates a tunnel interface with an IPsec profile.

Step 8 exit

Example:Router(config-if)# exit

Exits interface configuration mode.

Step 9 crypto isakamp profile profile-name

Example:Router(config)# crypto isakamp profile red

Defines the ISAKAMP profile to be used for the virtualtemplate.

Step 10 virtual-template template-number

Example:Router(config)# virtual-template 1

Specifies the virtual template attached to the ISAKAMPprofile.




Configuring Per-User Attributes on a Local Easy VPN AAA ServerTo configure per-user attributes on a local Easy VPN AAA server, perform the following steps.

SUMMARY STEPS

1. enable


3. aaa attribute list list-name

4. attribute type name value [serviceservice] [protocol protocol]

5. exit

6. crypto isakmp client configuration group group-name

7. crypto aaa attribute list list-name

DETAILED STEPS


Step 1 enable







Step 3 aaa attribute list list-name

Example:Router(config)# aaa attribute list list1

Defines a AAA attribute list locally on a router and entersattribute list configuration mode.

Step 4 attribute type name value [ service service ][ protocol protocol ]

Example:Router(config-attr-list)# attribute typeattribute xxxx service ike protocol ip

Defines an attribute type that is to be added to an attributelist locally on a router.

Step 5 exit

Example:Router(config-attr-list)# exit

Exits attribute list configuration mode.

IPsec Virtual Tunnel Interface Configuration Examples for IPsec Virtual Tunnel Interfaces


Configuration Examples for IPsec Virtual Tunnel InterfacesThe following examples are provided to illustrate configuration scenarios for IPsec VTIs:

• Static Virtual Tunnel Interface with IPsec: Example, page 13

• VRF-Aware Static Virtual Tunnel Interface: Example, page 16

• Static Virtual Tunnel Interface with QoS: Example, page 17

• Static Virtual Tunnel Interface with Virtual Firewall: Example, page 17

• Dynamic Virtual Tunnel Interface Easy VPN Server: Example, page 19

• Dynamic Virtual Tunnel Interface Easy VPN Client: Example, page 20

• VRF-Aware IPsec with Dynamic VTI: Example, page 22

• Dynamic Virtual Tunnel Interface with Virtual Firewall: Example, page 23

• Dynamic Virtual Tunnel Interface with QoS: Example, page 24

• Per-User Attributes on an Easy VPN Server: Example, page 24

Static Virtual Tunnel Interface with IPsec: ExampleThe following example configuration uses a preshared key for authentication between peers. VPN trafficis forwarded to the IPsec VTI for encryption and then sent out the physical interface. The tunnel onsubnet 10 checks packets for IPsec policy and passes them to the Crypto Engine (CE) for IPsecencapsulation.Figure 5 illustrates the IPsec VTI configuration.

Figure 5 VTI with IPsec

Step 6 crypto isakmp client configuration groupgroup-name

Example:Router (config)# crypto isakmp clientconfiguration group group1

Specifies to which group a policy profile will be defined andenters ISAKMP group configuration mode.

Step 7 crypto aaa attribute list list-name

Example:Router (config-isakmp-group)# crypto aaaattribute list listname1

Defines a AAA attribute list locally on a router.


10.0.35.21 10.0.36.21

C7206-3 C1750-17Server 1 Server 2

10.0.149.203 10.0.149.217

1279

43

Internet

Tunnel subnet10.0.51.0

Tunnel 0 Tunnel 0

VPN tunnel



C7206 Router Configurationversion 12.3

service timestamps debug datetimeservice timestamps log datetimehostname 7200-3no aaa new-modelip subnet-zeroip cefcontroller ISA 6/1!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0crypto IPsec transform-set T1 esp-3des esp-sha-hmaccrypto IPsec profile P1set transform-set T1!

interface Tunnel0 ip address 10.0.51.203 255.255.255.0 ip ospf mtu-ignore load-interval 30 tunnel source 10.0.149.203 tunnel destination 10.0.149.217 tunnel mode IPsec ipv4 tunnel protection IPsec profile P1!interface Ethernet3/0 ip address 10.0.149.203 255.255.255.0 duplex full!interface Ethernet3/3 ip address 10.0.35.203 255.255.255.0 duplex full!ip classlessip route 10.0.36.0 255.255.255.0 Tunnel0line con 0line aux 0line vty 0 4end

C1750 Router Configurationversion 12.3

hostname c1750-17no aaa new-modelip subnet-zeroip cefcrypto isakmp policy 1encr 3desauthentication pre-sharegroup 2

crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0crypto IPsec transform-set T1 esp-3des esp-sha-hmaccrypto IPsec profile P1set transform-set T1



!interface Tunnel0 ip address 10.0.51.217 255.255.255.0 ip ospf mtu-ignore tunnel source 10.0.149.217 tunnel destination 10.0.149.203 tunnel mode ipsec ipv4 tunnel protection ipsec profile P1!interface FastEthernet0/0 ip address 10.0.149.217 255.255.255.0 speed 100 full-duplex!interface Ethernet1/0 ip address 10.0.36.217 255.255.255.0 load-interval 30 full-duplex!

ip classlessip route 10.0.35.0 255.255.255.0 Tunnel0line con 0line aux 0line vty 0 4end

Verifying the Results for the IPsec Static Virtual Tunnel Interface: Example

This section provides information that you can use to confirm that your configuration is workingproperly. In this display, Tunnel 0 is “up,” and the line protocol is “up.” If the line protocol is “down,”the session is not active.

Verifying the C7206 StatusRouter# show interface tunnel 0

Tunnel0 is up, line protocol is upHardware is TunnelInternet address is 10.0.51.203/24MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,reliability 255/255, txload 103/255, rxload 110/255Encapsulation TUNNEL, loopback not setKeepalive not setTunnel source 10.0.149.203, destination 10.0.149.217Tunnel protocol/transport IPsec/IP , key disabled, sequencing disabledTunnel TTL 255

Checksumming of packets disabled, fast tunneling enabledTunnel transmit bandwidth 8000 (kbps)Tunnel receive bandwidth 8000 (kbps)Tunnel protection via IPsec (profile "P1")Last input never, output never, output hang neverLast clearing of "show interface" counters neverInput queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0Queueing strategy: fifoOutput queue: 0/0 (size/max)30 second input rate 13000 bits/sec, 34 packets/sec30 second output rate 36000 bits/sec, 34 packets/sec191320 packets input, 30129126 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles



0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort59968 packets output, 15369696 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 output buffer failures, 0 output buffers swapped out

Router# show crypto session

Crypto session current statusInterface: Tunnel0Session status: UP-ACTIVEPeer: 10.0.149.217 port 500IKE SA: local 10.0.149.203/500 remote 10.0.149.217/500 ActiveIPsec FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0Active SAs: 4, origin: crypto map

Router# show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is not set10.0.0.0/8 is variably subnetted, 4 subnets, 2 masksC 10.0.35.0/24 is directly connected, Ethernet3/3S 10.0.36.0/24 is directly connected, Tunnel0C 10.0.51.0/24 is directly connected, Tunnel0C 10.0.149.0/24 is directly connected, Ethernet3/0

VRF-Aware Static Virtual Tunnel Interface: ExampleTo add VRF to the static VTI example, include theipvrf andip vrf forwarding commands to theconfiguration as shown in the following example.

C7206 Router Configurationhostname c7206..ip vrf sample-vti1 rd 1:1 route-target export 1:1 route-target import 1:1!..interface Tunnel0 ip vrf forwarding sample-vti1 ip address 10.0.51.217 255.255.255.0 tunnel source 10.0.149.217 tunnel destination 10.0.149.203 tunnel mode ipsec ipv4 tunnel protection ipsec profile P1..!end



Static Virtual Tunnel Interface with QoS: ExampleYou can apply any QoS policy to the tunnel endpoint by including theservice-policy statement underthe tunnel interface. The following example is policing traffic out the tunnel interface.

C7206 Router Configurationhostname c7206..class-map match-all VTI match any!policy-map VTI class VTI police cir 2000000 conform-action transmit exceed-action drop!..interface Tunnel0 ip address 10.0.51.217 255.255.255.0 tunnel source 10.0.149.217 tunnel destination 10.0.149.203 tunnel mode ipsec ipv4 tunnel protection ipsec profile P1 service-policy output VTI!..!end

Static Virtual Tunnel Interface with Virtual Firewall: ExampleApplying the virtual firewall to the static VTI tunnel allows traffic from the spoke to pass through thehub to reach the internet.Figure 6 illustrates a static VTI with the spoke protected inherently by thecorporate firewall.



Figure 6 Static VTI with Virtual Firewall

The basic static VTI configuration has been modified to include the virtual firewall definition.

C7206 Router Configurationhostname c7206..ip inspect max-incomplete high 1000000ip inspect max-incomplete low 800000ip inspect one-minute high 1000000ip inspect one-minute low 800000ip inspect tcp synwait-time 60ip inspect tcp max-incomplete host 100000 block-time 2ip inspect name IOSFW1 tcp timeout 300ip inspect name IOSFW1 udp!..interface GigabitEthernet0/1 description Internet Connection ip address 172.18.143.246 255.255.255.0 ip access-group 100 in ip nat outside!interface Tunnel0 ip address 10.0.51.217 255.255.255.0 ip nat inside ip inspect IOSFW1 in tunnel source 10.0.149.217 tunnel destination 10.0.149.203 tunnel mode ipsec ipv4 tunnel protection ipsec profile P1!ip classlessip route 0.0.0.0 0.0.0.0 172.18.143.1!ip nat translation timeout 120ip nat translation finrst-timeout 2ip nat translation max-entries 300000ip nat pool test1 10.2.100.1 10.2.100.50 netmask 255.255.255.0ip nat inside source list 110 pool test1 vrf test-vti1 overload!access-list 100 permit esp any anyaccess-list 100 permit udp any eq isakmp any

VirtualFirewall

C7206

1701

38

c1750

WebServer

Private NetworkInternet

10.0.149.203

10.0.149.217

10.0.51.217

10.0.51.203



access-list 100 permit udp any eq non500-isakmp anyaccess-list 100 permit icmp any anyaccess-list 110 deny esp any anyaccess-list 110 deny udp any eq isakmp anyaccess-list 110 permit ip any anyaccess-list 110 deny udp any eq non500-isakmp any!end

Dynamic Virtual Tunnel Interface Easy VPN Server: ExampleThe following example illustrates the use of the DVTI Easy VPN server, which serves as an IPsec remoteaccess aggregator. The client can be a home user running a Cisco VPN client or it can be a Cisco IOSrouter configured as an Easy VPN client.

C7206 Router Configurationhostname c7206!aaa new-modelaaa authentication login local_list localaaa authorization network local_list localaaa session-id common!ip subnet-zeroip cef!username cisco password 0 cisco123!controller ISA 1/1!crypto isakmp policy 1 encr 3des authentication pre-share group 2!crypto isakmp client configuration group group1 key cisco123 pool group1pool save-password!crypto isakmp profile vpn1-ra match identity group group1 client authentication list local_list isakmp authorization list local_list client configuration address respond virtual-template 1!crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac!crypto ipsec profile test-vti1 set transform-set VTI-TS!interface GigabitEthernet0/1 description Internet Connection ip address 172.18.143.246 255.255.255.0!interface GigabitEthernet0/2 description Internal Network ip address 10.2.1.1 255.255.255.0!



interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1!ip local pool group1pool 192.168.1.1 192.168.1.4ip classlessip route 0.0.0.0 0.0.0.0 172.18.143.1!end

Verifying the Results for the Dynamic Virtual Tunnel Interface Easy VPN Server: Example

The following examples show that a dynamic VTI has been configured for an Easy VPN server.

Router# show running-config interface Virtual-Access2

Building configuration...

Current configuration : 250 bytes!interface Virtual-Access2 ip unnumbered Loopback0 ip virtual-reassembly tunnel source 172.18.143.246 tunnel destination 172.18.143.208 tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1 no tunnel protection ipsec initiateend


Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.2.1.10 to network 0.0.0.0

172.18.0.0/24 is subnetted, 1 subnetsC 172.18.143.0 is directly connected, GigabitEthernet0/1 192.168.1.0/32 is subnetted, 1 subnetsS 192.168.1.1 [1/0] via 0.0.0.0, Virtual-Access2 10.0.0.0/24 is subnetted, 1 subnetsC 10.2.1.0 is directly connected, GigabitEthernet0/2S* 0.0.0.0/0 [1/0] via 172.18.143.1

Dynamic Virtual Tunnel Interface Easy VPN Client: ExampleThe following example shows how you can set up a router as the Easy VPN client. This example usesbasically the same idea as the Easy VPN client that you can run from a PC to connect. In fact, theconfiguration of the Easy VPN server will work for the software client or the Cisco IOS client.

hostname c1841!



no aaa new-model!ip cef!username cisco password 0 cisco123!crypto ipsec client ezvpn CLIENT connect manual group group1 key cisco123 mode client peer 172.18.143.246 virtual-interface 1 username cisco password cisco123 xauth userid mode local!interface Loopback0 ip address 10.1.1.1 255.255.255.255!interface FastEthernet0/0 description Internet Connection ip address 172.18.143.208 255.255.255.0 crypto ipsec client ezvpn CLIENT!interface FastEthernet0/1 ip address 10.1.1.252 255.255.255.0 crypto ipsec client ezvpn CLIENT inside!interface Virtual-Template1 type tunnel ip unnumbered Loopback0!ip route 0.0.0.0 0.0.0.0 172.18.143.1!end

The client definition can be set up in many different ways. The mode specified with theconnectcommand can be automatic or manual. If the connect mode is set to manual, the IPsec tunnel has to beinitiated manually by a user.

Also note use of themode command. The mode can be client, network-extension, ornetwork-extension-plus. This example indicates client mode, which means that the client is given aprivate address from the server. Network-extension mode is different from client mode in that the clientspecifies for the server its attached private subnet. Depending on the mode, the routing table on eitherend will be slightly different. The basic operation of the IPSec tunnel remains the same, regardless ofthe specified mode.

Verifying the Results for the Dynamic Virtual Tunnel Interface Easy VPN Client: Example

The following examples illustrate different ways to display the status of the DVTI.

Router# show running-config interface Virtual-Access2


Current configuration : 148 bytes!interface Virtual-Access2 ip unnumbered Loopback1 tunnel source FastEthernet0/0 tunnel destination 172.18.143.246 tunnel mode ipsec ipv4end



Router# show running-config interface Loopback1


Current configuration : 65 bytes!interface Loopback1 ip address 192.168.1.1 255.255.255.255end


Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.18.143.1 to network 0.0.0.0

10.0.0.0/32 is subnetted, 1 subnetsC 10.1.1.1 is directly connected, Loopback0 172.18.0.0/24 is subnetted, 1 subnetsC 172.18.143.0 is directly connected, FastEthernet0/0 192.168.1.0/32 is subnetted, 1 subnetsC 192.168.1.1 is directly connected, Loopback1S* 0.0.0.0/0 [1/0] via 172.18.143.1 [1/0] via 0.0.0.0, Virtual-Access2

Router# show crypto ipsec client ezvpn

Easy VPN Remote Phase: 6

Tunnel name : CLIENTInside interface list: FastEthernet0/1Outside interface: Virtual-Access2 (bound to FastEthernet0/0)Current State: IPSEC_ACTIVELast Event: SOCKET_UPAddress: 192.168.1.1Mask: 255.255.255.255Save Password: AllowedCurrent EzVPN Peer: 172.18.143.246

VRF-Aware IPsec with Dynamic VTI: ExampleThis example shows how to configure VRF-Aware IPsec to take advantage of the dynamic VTI:

hostname c7206..ip vrf test-vti1 rd 1:1 route-target export 1:1 route-target import 1:1!..interface Virtual-Template1 type tunnel ip vrf forwarding test-vti1



ip unnumbered Loopback0 ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1!..end

Dynamic Virtual Tunnel Interface with Virtual Firewall: ExampleThe DVTI Easy VPN server can be configured behind a virtual firewall. Behind-the-firewallconfiguration allows users to enter the network, while the network firewall is protected fromunauthorized access. The virtual firewall uses Context-Based Access Control (CBAC) and NAT appliedto the Internet interface as well as to the virtual template.

hostname c7206..ip inspect max-incomplete high 1000000ip inspect max-incomplete low 800000ip inspect one-minute high 1000000ip inspect one-minute low 800000ip inspect tcp synwait-time 60ip inspect tcp max-incomplete host 100000 block-time 2ip inspect name IOSFW1 tcp timeout 300ip inspect name IOSFW1 udp!..interface GigabitEthernet0/1 description Internet Connection ip address 172.18.143.246 255.255.255.0 ip access-group 100 in ip nat outside!interface GigabitEthernet0/2 description Internal Network ip address 10.2.1.1 255.255.255.0!interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip nat inside ip inspect IOSFW1 in tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1!ip classlessip route 0.0.0.0 0.0.0.0 172.18.143.1!ip nat translation timeout 120ip nat translation finrst-timeout 2ip nat translation max-entries 300000ip nat pool test1 10.2.100.1 10.2.100.50 netmask 255.255.255.0ip nat inside source list 110 pool test1 vrf test-vti1 overload!access-list 100 permit esp any anyaccess-list 100 permit udp any eq isakmp anyaccess-list 100 permit udp any eq non500-isakmp anyaccess-list 100 permit icmp any any



access-list 110 deny esp any anyaccess-list 110 deny udp any eq isakmp anyaccess-list 110 permit ip any anyaccess-list 110 deny udp any eq non500-isakmp any!end

Dynamic Virtual Tunnel Interface with QoS: ExampleYou can add QoS to the DVTI tunnel by applying the service policy to the virtual template. When thetemplate is cloned to make the virtual-access interface, the service policy will be applied there. Thefollowing example shows the basic DVTI configuration with QoS added.

hostname c7206..class-map match-all VTI match any!policy-map VTI class VTI police cir 2000000 conform-action transmit exceed-action drop!..interface Virtual-Template1 type tunnel ip vrf forwarding test-vti1 ip unnumbered Loopback0 ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1 service-policy output VTI!..!end

Per-User Attributes on an Easy VPN Server: ExampleThe following example shows that per-user attributes have been configured on an Easy VPN server.

!

aaa new-model!!aaa authentication login default localaaa authentication login noAAA noneaaa authorization network default local!aaa attribute list per-group

attribute type inacl "per-group-acl" service ike protocol ip mandatory!aaa session-id common!resource policy



!ip subnet-zero!!ip cef!!username example password 0 example!!crypto isakmp policy 3

authentication pre-sharegroup 2

crypto isakmp xauth timeout 90!crypto isakmp client configuration group PerUserAAA

key ciscopool dpoolcrypto aaa attribute list per-group

!crypto isakmp profile vi

match identity group PerUserAAAisakmp authorization list defaultclient configuration address respondclient configuration group PerUserAAAvirtual-template 1

!!crypto ipsec transform-set set esp-3des esp-sha-hmac!crypto ipsec profile vi

set transform-set setset isakmp-profile vi

!!interface GigabitEthernet0/0

description 'EzVPN Peer'ip address 192.168.1.1 255.255.255.128duplex fullspeed 100media-type rj45no negotiation auto

!interface GigabitEthernet0/1

no ip addressshutdownduplex autospeed automedia-type rj45no negotiation auto

interface Virtual-Template1 type tunnelip unnumbered GigabitEthernet0/0tunnel mode ipsec ipv4tunnel protection ipsec profile vi

!ip local pool dpool 10.5.0.1 10.5.0.10ip classless!no ip http serverno ip http secure-server!!ip access-list extended per-group-acl

IPsec Virtual Tunnel Interface Additional References


permit tcp any anydeny icmp any any

logging alarm informationallogging trap debugging!control-plane!gatekeeper

shutdown!line con 0line aux 0

stopbits 1line vty 0 4!!end

Additional ReferencesThe following sections provide references related to IPsec virtual tunnel interface.

Related Documents

Standards

MIBs

Related Topic Document Title

IPsec, security issues Cisco IOS Security Configuration Guide

Security commands Cisco IOS Security Command Reference

VPN configuration Cisco IOS Easy VPN Server

Cisco IOS Easy VPN Remote

Standard TitleNo new or modified standards are supported by this fea-ture, and support for existing standards has not beenmodified by this feature.

—

MIB MIBs Link

No new or modified MIBs are supported by thisfeature, and support for existing MIBs has not beenmodified by this feature.

To locate and download MIBs for selected platforms, Cisco IOSreleases, and feature sets, use Cisco MIB Locator found at thefollowing URL:

http://www.cisco.com/go/mibs

http://www.cisco.com/go/mibs

IPsec Virtual Tunnel Interface Command Reference


RFCs

Technical Assistance

Command ReferenceThis section documents the following new and modified commands only.

• crypto aaa attribute list

• crypto isakmp client configuration group

• show vtemplate

• interface virtual-template

• tunnel mode

• tunnel mode

• virtual-template

RFC Title

RFC 2401 Security Architecture for the Internet Protocol

RFC 2408 Internet Security Association and Key Management Protocol

RFC 2409 The Internet Key Exchange (IKE)

Description Link

The Cisco Technical Support & Documentationwebsite contains thousands of pages of searchabletechnical content, including links to products,technologies, solutions, technical tips, tools, andtechnical documentation. Registered Cisco.com userscan log in from this page to access even more content.

http://www.cisco.com/techsupport

http://www.cisco.com/public/support/tac/home.shtml

IPsec Virtual Tunnel Interface crypto aaa attribute list


crypto aaa attribute listTo define an authentication, authorization, and accounting (AAA) attribute list of per-user attributes ona local Easy VPN server, use thecrypto aaa attribute list command in crypto isakmp groupconfiguration mode. To remove the AAA attribute list, use theno form of this command.

crypto aaa attribute list list-name

no crypto aaa attribute list list-name

Syntax Description

Command Default A local attribute list is not defined.

Command Modes Crypto isakmp group configuration

Command History

Usage Guidelines There is no limit to the number of lists that can be defined (except for NVRAM storage limits).

Examples The following example shows that per-user attributes have been defined on a local Easy VPN AAAserver:

!

aaa new-model!!aaa authentication login default localaaa authentication login noAAA noneaaa authorization network default local!aaa attribute list per-group

attribute type inacl "per-group-acl" service ike protocol ip mandatory!aaa session-id common!resource policy!ip subnet-zero!!ip cef!!username example password 0 example!

list-name Name of the local attribute list.

Release Modification

12.4(9)T This command was introduced.



!crypto isakmp policy 3

authentication pre-sharegroup 2

crypto isakmp xauth timeout 90!crypto isakmp client configuration group PerUserAAA

key ciscopool dpoolcrypto aaa attribute list per-group

!crypto isakmp profile vi

match identity group PerUserAAAisakmp authorization list defaultclient configuration address respondclient configuration group PerUserAAAvirtual-template 1

!!crypto ipsec transform-set set esp-3des esp-sha-hmac!crypto ipsec profile vi

set transform-set setset isakmp-profile vi

!!interface GigabitEthernet0/0

description 'EzVPN Peer'ip address 192.168.1.1 255.255.255.128duplex fullspeed 100media-type rj45no negotiation auto

!interface GigabitEthernet0/1

no ip addressshutdownduplex autospeed automedia-type rj45no negotiation auto

interface Virtual-Template1 type tunnelip unnumbered GigabitEthernet0/0tunnel mode ipsec ipv4tunnel protection ipsec profile vi

!ip local pool dpool 10.5.0.1 10.5.0.10ip classless!no ip http serverno ip http secure-server!!ip access-list extended per-group-acl

permit tcp any anydeny icmp any any

logging alarm informationallogging trap debugging!control-plane!gatekeeper

shutdown



!line con 0line aux 0

stopbits 1line vty 0 4!!end

Related Commands Command Description

crypto isakmp clientconfiguration group

Specifies to which group a policy profile will be defined.

IPsec Virtual Tunnel Interface crypto isakmp client configuration group


crypto isakmp client configuration groupTo specify to which group a policy profile will be defined and to enter crypto ISAKMP groupconfiguration mode, use thecrypto isakmp client configuration group command in globalconfiguration mode. To remove this command and all associated subcommands from your configuration,use theno form of this command.

crypto isakmp client configuration group { group-name| default}

no crypto isakmp client configuration group

Syntax Description

Command Defaults No default behavior or values

Command Modes Global configuration

Command History

Usage Guidelines Use thecrypto isakmp client configuration group command to specify group policy information thatneeds to be defined or changed. You may wish to change the group policy on your router if you decideto connect to the client using a group ID that does not match thegroup-nameargument.

group-name Group definition that identifies which policy is enforced for users.

default Policy that is enforced for all users who do not offer a group name thatmatches agroup-nameargument. Thedefault keyword can only beconfigured locally.



12.3(2)T Theaccess-restrict, firewall are-u-there, group-lock, include-local-lan,andsave-password commands were added. These commands are addedduring Mode Configuration. In addition, this command was modified so thatoutput for this command will show that the preshared key is eitherencrypted or unencrypted.

12.3(4)T Thebackup-gateway, max-logins, max-users,andpfs commands wereadded.

12.2(18)SXD This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.4(2)T Thebrowser-proxy command was added.

12.4(6)T Thefirewall policy command was added.

12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(9)T Thecrypto aaa attribute list, dhcp-server anddhcp-timeout commandswere added.



After enabling this command, which puts you in Internet Security Association Key ManagementProtocol (ISAKMP) group configuration mode, you can specify characteristics for the group policyusing the following commands:

• access-restrict—Ties a particular Virtual Private Network (VPN) group to a specific interface foraccess to the Cisco IOS gateway and the services it protects.

• acl—Configures split tunneling.

• auto-update-client—Configures auto upgrade.

• backup-gateway—Configures a server to “push down” a list of backup gateways to the client.These gateways are tried in order in the case of a failure of the previous gateway. The gateways maybe specified using IP addresses or host names.

• banner—Specifies a mode configuration banner.

• browser-proxy—Applies a browser-proxy map to a group.

• configuration url —Specifies on a server the URL an Easy VPN remote device must use to get aconfiguration in a Mode Configuration Exchange.

• configuration version—Specifies on a server the version a Cisco Easy VPN remote device must useto get a particular configuration in a Mode Configuration Exchange.

• crypto aaa attribute list—Defines a AAA attribute list of per-user attributes on a local Easy VPNserver.

• dhcp server—Configures multiple DHCP server entries.

• dhcp timeout—Controls the wait time before the next DHCP server on the list is tried.

• dns—Specifies the primary and secondary Domain Name Service (DNS) servers for the group.

• domain—Specifies group domain membership.

• firewall are-u-there—Adds the Firewall-Are-U-There attribute to the server group if your PC isrunning the Black Ice or Zone Alarm personal firewalls.

• firewall policy —Specifies the CPP firewall policy push name for the crypto ISAKMP clientconfiguration group on a local AAA server.

• group-lock—Use if preshared key authentication is used with Internet Key Exchange (IKE). Allowsyou to enter your extended authentication (Xauth) username. The group delimiter is comparedagainst the group identifier sent during IKE aggressive mode.

• include-local-lan—Configures the Include-Local-LAN attribute to allow a nonsplit-tunnelingconnection to access the local subnetwork at the same time as the client.

• key—Specifies the IKE preshared key when defining group policy information for ModeConfiguration push.

• max-logins—Limits the number of simultaneous logins for users in a specific user group.

• max-users—Limits the number of connections to a specific server group.

• netmask—Subnet mask to be used by the client for local connectivity.

• pfs—Configures a server to notify the client of the central-site policy regarding whether PFS isrequired for any IPsec SA. Because the client device does not have a user interface option to enableor disable PFS negotiation, the server will notify the client device of the central site policy via thisparameter. The Diffie-Hellman (D-H) group that is proposed for PFS will be the same that wasnegotiated in Phase 1 of the IKE negotiation.

• pool—Refers to the IP local pool address used to allocate internal IP addresses to clients.

• save-password—Saves your Xauth password locally on your PC.



• split-dns—Specifies a list of domain names that must be tunneled or resolved to the private network.

• wins—Specifies the primary and secondary Windows Internet Naming Service (WINS) servers forthe group.

Output for thecrypto isakmp client configuration group command (using thekey subcommand) willshow that the preshared key is either encrypted or unencrypted. An output example for an unencryptedpreshared key would be as follows:

crypto isakmp client configuration group key test

An output example for a type 6 encrypted preshared key would be as follows:

crypto isakmp client configuration group

key 6 JK_JHZPeJV_XFZTKCQFYAAB

Session Monitoring and Limiting for Easy VPN Clients

It is possible to mimic the functionality provided by some RADIUS servers for limiting the number ofconnections to a specific server group and also for limiting the number of simultaneous logins for usersin that group.

To limit the number of connections to a specific server group, use themax-userssubcommand. To limitthe number of simultaneous logins for users in the server group, use themax-logins subcommand.

The following example shows the RADIUS attribute-value (AV) pairs for the maximum users andmaximum logins parameters:

ipsec:max-users=1000ipsec:max-logins=1

Themax-usersandmax-loginscommands can be enabled together or individually to control the usageof resources by any groups or individuals.

If you use a RADIUS server, such as a CiscoSecure access control server (ACS), it is recommended thatyou enable this session control on the RADIUS server if the functionality is provided. In this way, usagecan be controlled across a number of servers by one central repository. When enabling this feature onthe router itself, only connections to groups on that specific device are monitored, and load-sharingscenarios are not accurately accounted for.

Examples The following example shows how to define group policy information for Mode Configuration push. Inthis example, the first group name is “cisco” and the second group name is “default.” Thus, the defaultpolicy will be enforced for all users who do not offer a group name that matches “cisco.”

crypto isakmp client configuration group cisco key cisco dns 10.2.2.2 10.2.2.3 wins 10.6.6.6 domain cisco.com pool fred acl 199!crypto isakmp client configuration group default key cisco dns 10.2.2.2 10.3.2.3 pool fred acl 199

Related Commands



Command Description

access-restrict Ties a particular VPN group to a specific interface for access to theCisco IOS gateway and the services it protects.

acl Configures split tunneling.

backup-gateway Configures a server to “push down” a list of backup gateways to the client.

browser-proxy Applies browser-proxy parameter settings to a group.

crypto isakmpkeepalive

Adds the Firewall-Are-U-There attribute to the server group if your PC isrunning the Black Ice or Zone Alarm personal firewalls.

dns Specifies the primary and secondary DNS servers.

domain (isakmp-group) Specifies the DNS domain to which a group belongs.

firewall are-u-there Adds the Firewall-Are-U-There attribute to the server group if your PC isrunning the Black Ice or Zone Alarm personal firewalls.

firewall policy Specifies the CPP firewall policy push name for the crypto ISAKMP clientconfiguration group on a local AAA server.

group-lock Allows you to enter your Xauth username, including the group name, whenpreshared key authentication is used with IKE.

include-local-lan Configures the Include-Local-LAN attribute to allow a nonsplit-tunnelingconnection to access the local subnetwork at the same time as the client.

key (isakmp-group) Specifies the IKE preshared key for Group-Policy attribute definition.

max-logins Limits the number of simultaneous logins for users in a specific servergroup.

max-users Limits the number of connections to a specific server group.

pool (isakmp-group) Defines a local pool address.

save-password Saves your Xauth password locally on your PC.

set aggressive-modeclient-endpoint

Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peerconfiguration.

IPsec Virtual Tunnel Interface crypto isakmp profile


crypto isakmp profileTo define an Internet Security Association and Key Management Protocol (ISAKMP) profile and to auditIP security (IPsec) user sessions, use thecrypto isakmp profile command in global configuration mode.To delete a crypto ISAKMP profile, use theno form of this command.

crypto isakmp profile profile-name[accounting aaa-list]

no crypto isakmp profile profile-name[accounting aaa-list]

Syntax Description

Command Defaults No profile exists if the command is not used.


Command History

Usage Guidelines Defining an ISAKMP Profile

An ISAKMP profile can be viewed as a repository of Phase 1 and Phase 1.5 commands for a set of peers.The Phase 1 configuration includes commands to configure such things as keepalive, identity matching,and the authorization list. The Phase 1.5 configuration includes commands to configure such things asextended authentication (Xauth) and mode configuration.

The peers are mapped to an ISAKMP profile when their identities are matched (as given in theidentification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in theISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match thesame identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. Also,there must be at least onematch identity command defined in the ISAKMP profile for it to be complete.

After enabling this command and entering ISAKMP profile configuration mode, you can configure thefollowing commands:

• accounting—Enables authentication, authorization, and accounting (AAA) accounting.

• ca trust-point—Specifies certificate authorities.

• client—Specifies client configuration settings.

profile-name Name of the user profile. To associate a user profile with the RADIUSserver, the user profile name must be identified.

accounting aaa-list (Optional) Name of a client accounting list.



12.2(18)SXD This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.4(2)T Support for dynamic virtual tunnel interfaces was added.

12.4(4)T Support for IPv6 was added.




• default—Lists subcommands for thecrypto isakmp profile command.

• description—Specifies a description of this profile.

• initiate mode—Initiates a mode.

• isakmp authorization—ISAKMP authorization parameters.

• keepalive—Sets a keepalive interval.

• keyring—Specifies a keyring.

• local-address—Specifies the interface to use as the local address of this ISAKMP profile.

• match—Matches the values of the peer.

• qos-group—Applies a quality of service (QoS) policy class map for this profile.

• self-identity—Specifies the identity.

• virtual-template—Specifies the virtual template for the dynamic interface.

• vrf —Specifies the Virtual Private Network routing and forwarding (VRF) instance to which theprofile is related.

Auditing IPSec User Sessions

Use this command to audit multiple user sessions that are terminating on the IPSec gateway.

Note Thecrypto isakmp profile command and thecrypto map (global IPSec)command are mutuallyexclusive. If a profile is present (thecrypto isakmp profile command has been used), with no accountingconfigured but with the global command present (thecrypto isakmp profile command without theaccounting keyword), accounting will occur using the attributes in the global command.

Dynamic Virtual Tunnel Interfaces

Support for dynamic virtual tunnel interfaces allows for the virtual profile to be mapped into a specifiedvirtual template.

Examples ISAKAMP Profile Matching Peer Identities Example

The following example shows how to define an ISAKMP profile and match the peer identities:

crypto isakmp profile vpnprofile match identity address 10.76.11.53

ISAKAMP Profile with Accounting Example

The following accounting example shows that an ISAKMP profile is configured:

aaa new-model!!aaa authentication login cisco-client group radiusaaa authorization network cisco-client group radiusaaa accounting network acc start-stop broadcast group radiusaaa session-id common!crypto isakmp profile ciscovrf ciscomatch identity group cclient

client authentication list cisco-client



isakmp authorization list cisco-clientclient configuration address respondaccounting acc

!crypto dynamic-map dynamic 1 set transform-set aswan set isakmp-profile cisco reverse-route!!radius-server host 172.16.1.4 auth-port 1645 acct-port 1646radius-server key nsite


crypto map (global IPsec) Enters crypto map configuration mode and creates or modifies a cryptomap entry, creates a crypto profile that provides a template forconfiguration of dynamically created crypto maps, or configures a clientaccounting list.

debug crypto isakmp Displays messages about IKE events.

match identity Matches an identity from a peer in an ISAKMP profile.

tunnel protection Associates a tunnel interface with an IP Security (IPsec) profile.

virtual template Specifies which virtual template to be used to clone virtual accessinterfaces.

IPsec Virtual Tunnel Interface interface virtual-template


interface virtual-templateTo create a virtual template interface that can be configured and applied dynamically in creating virtualaccess interfaces, use theinterface virtual-template command in global configuration mode. To removea virtual template interface, use theno form of this command.

interface virtual-template number

no interface virtual-template number

Syntax Description

Command Default No virtual template interface is defined.


Command History

Usage Guidelines A virtual template interface is used to provide the configuration for dynamically created virtual accessinterfaces. It is created by users and can be saved in NVRAM.

After the virtual template interface is created, it can be configured in the same way as a serial interface.

Virtual template interfaces can be created and applied by various applications such as virtual profiles,virtual private dialup networks (VPDNs), PPP over ATM, protocol translation, and MultichassisMultilink PPP (MMP).

Examples Virtual Template with PPP Authentication Example

The following example creates and configures virtual template interface 1:

interface virtual-template 1 type ethernet ip unnumbered ethernet 0 ppp multilink ppp authentication chap

IPsec Virtual Template Example

The following example shows how to configure a virtual template for an IPsec virtual tunnel interface.

interface virtual-template1 type tunnel

number Number used to identify the virtual template interface. Up to 200 virtual templateinterfaces can be configured.


11.2F This command was introduced.

12.2(4)T This command was enhanced to increase the maximum number of virtual templateinterfaces from 25 to 200.

12.2(28)SB This command was integrated into Cisco IOS Release 12.2(28)SB.


IPsec Virtual Tunnel Interface interface virtual-template


ip unnumbered Loopback1tunnel mode ipsec ipv4tunnel protection ipsec profile virtualtunnelinterface


tunnel protection Associates a tunnel interface with an IPsec profile.

virtual interface Sets the zone name for the connected AppleTalk network.

virtual template Specifies the destination for a tunnel interface.

IPsec Virtual Tunnel Interface show vtemplate


show vtemplateTo display information about all configured virtual templates, use theshow vtemplatecommand inprivileged EXEC mode.

show vtemplate

Syntax Description This command has no arguments or keywords.

Command Modes Privileged EXEC

Command History

Examples The following is sample output from theshow vtemplate command:

Router# show vtemplate

Virtual access subinterface creation is globally enabled

Active Active Subint Pre-clone Pre-clone Interface Interface Subinterface Capable Available Limit Type --------- ------------ ------- --------- --------- ---------Vt1 0 0 Yes -- -- SerialVt2 0 0 Yes -- -- SerialVt4 0 0 Yes -- -- SerialVt21 0 0 No -- -- TunnelVt22 0 0 Yes -- -- EtherVt23 0 0 Yes -- -- SerialVt24 0 0 Yes -- -- Serial

Usage Summary Interface Subinterface --------- ------------Current Serial in use 1 0Current Serial free 0 3Current Ether in use 0 0Current Ether free 0 0Current Tunnel in use 0 0Current Tunnel free 0 0Total 1 3

Cumulative created 8 4Cumulative freed 0 4

Base virtual access interfaces: 1


12.0(7)DC This command was introduced on the Cisco 6400 NRP.

12.2(13)T This command was integrated into Cisco IOS Release 12.2(13)T.

12.3(14)T The show display was modified to display the interface type of the virtualtemplate and to provide counters on a per-interface-type basis for IPsecvirtual tunnel interfaces.

12.2(33)SRA This comand was integrated into Cisco IOS Release 12.2(33)SRA.



Total create or clone requests: 0Current request queue size: 0Current free pending: 0

Maximum request duration: 0 msecAverage request duration: 0 msecLast request duration: 0 msec

Maximum processing duration: 0 msecAverage processing duration: 0 msecLast processing duration: 0 msecLast processing duration:0 msec

Table 1 describes the significant fields shown in the example.

Table 1 show vtemplate Field Descriptions

Field Description

Virtual access subinterfacecreation is globally...

The configured setting of thevirtual-template command. Virtualaccess subinterface creation may be enabled or disabled.

Active Interface The number of virtual access interfaces that are cloned from thespecified virtual template.

Active Subinterface The number of virtual access subinterfaces that are cloned from thespecified virtual template.

Subint Capable Specifies if the configuration of the virtual template is supported onthe virtual access subinterface.

Pre-clone Available The number of precloned virtual access interfaces currentlyavailable for use for the particular virtual template.

Pre-clone Limit The number of precloned virtual access interfaces available for thatparticular virtual template.

Current in use The number of virtual access interfaces and subinterfaces that arecurrently in use.

Current free The number of virtual access interfaces and subinterfaces that areno longer in use.

Total The total number of virtual access interfaces and subinterfaces thatexist.

Cumulative created The number of requests for a virtual access interface orsubinterface that have been satisfied.

Cumulative freed The number of times that the application using the virtual accessinterface or subinterface has been freed.

Base virtual-access interfaces This field specifies the number of base virtual access interfaces.The base virtual access interface is used to create virtual accesssubinterfaces. There is one base virtual access interface perapplication that supports subinterfaces. A base virtual accessinterface can be identified from the output of theshow interfacesvirtual-accesscommand.

Total create or clone requests The number of requests that have been made through theasynchronous request API of the virtual template manager.

Current request queue size The number of items in the virtual template manager work queue.



Related Commands

Current free pending The number of virtual access interfaces whose final freeing ispending. These virtual access interfaces cannot currently be freedbecause they are still in use.

Maximum request duration The maximum time that it took from the time that the asynchronousrequest was made until the application was notified that the requestwas done.

Average request duration The average time that it took from the time that the asynchronousrequest was made until the application was notified that the requestwas done.

Last request duration The time that it took from the time that the asynchronous requestwas made until the application was notified that the request wasdone for the most recent request.

Maximum processing duration The maximum time that the virtual template manager spentsatisfying the request.

Average processing duration The average time that the virtual template manager spent satisfyingthe request.

Last processing duration The time that the virtual template manager spent satisfying therequest for the most recent request.

Table 1 show vtemplate Field Descriptions (Continued)

Field Description

Command Description

show interfacesvirtual-access

Displays status, traffic data, and configuration information about a specifiedvirtual access interface.

virtual-template Specifies which virtual template will be used to clone virtual accessinterfaces.

IPsec Virtual Tunnel Interface tunnel mode


tunnel modeTo set the encapsulation mode for the tunnel interface, use thetunnel mode command in interfaceconfiguration mode. To restore the default mode, use theno form of this command.

tunnel mode{ aurp | cayman | dvmrp | eon | gre | gre multipoint | gre ipv6 | ipip[decapsulate-any] | ipsec ipv4| iptalk | ipv6 | ipsec ipv6 | mpls | nos | rbscp}

no tunnel mode

Syntax Description

Command Defaults GRE tunneling

Command Modes Interface configuration

Command History

aurp AppleTalk Update-Based Routing Protocol.

cayman Cayman TunnelTalk AppleTalk encapsulation.

dvmrp Distance Vector Multicast Routing Protocol.

eon EON compatible Connectionless Network Protocol (CLNS) tunnel.

gre Generic routing encapsulation (GRE) protocol. This is the default.

gre multipoint Multipoint GRE (mGRE).

gre ipv6 GRE tunneling using IPv6 as the delivery protocol.

ipip IP-over-IP encapsulation.

decapsulate-any (Optional) Terminates any number of IP-in-IP tunnels at one tunnel interface.

This tunnel will not carry any outbound traffic; however, any number of remotetunnel endpoints can use a tunnel configured this way as their destination.

ipsec ipv4 Tunnel mode is IPSec, and the transport is IPv4.

iptalk Apple IPTalk encapsulation.

ipv6 Static tunnel interface configured to encapsulate IPv6 or IPv4 packets in IPv6.

ipsec ipv6 Tunnel mode is IPSec, and the transport is IPv6.

mpls Multiprotocol Label Switching (MPLS) encapsulation.

nos KA9Q/NOS compatible IP over IP.

rbscp Rate Based Satellite Control Protocol (RBSCP).


10.0 This command was introduced.

10.3 Theaurp, dvmrp , andipip keywords were added.

11.2 The optionaldecapsulate-any keyword was added.

12.2(13)T Thegre multipoint keyword was added.



Usage Guidelines Source and Destination Address

You cannot have two tunnels that use the same encapsulation mode with exactly the same source anddestination address. The workaround is to create a loopback interface and source packets off of theloopback interface.

Cayman Tunneling

Designed by Cayman Systems, Cayman tunneling implements tunneling to enable Cisco routers tointeroperate with Cayman GatorBoxes. With Cayman tunneling, you can establish tunnels between tworouters or between a Cisco router and a GatorBox. When using Cayman tunneling, you must notconfigure the tunnel with an AppleTalk network address.

DVMRP

Use DVMRP when a router connects to an mrouted (multicast) router to run DVMRP over a tunnel. Youmust configure Protocol Independent Multicast (PIM) and an IP address on a DVMRP tunnel.

GRE with AppleTalk

GRE tunneling can be done between Cisco routers only. When using GRE tunneling for AppleTalk, youconfigure the tunnel with an AppleTalk network address. Using the AppleTalk network address, you canping the other end of the tunnel to check the connection.

Multipoint GRE

After enabling mGRE tunneling, you can enable thetunnel protection command, which allows you toassociate the mGRE tunnel with an IPSec profile. Combining mGRE tunnels and IPSec encryptionallows a single mGRE interface to support multiple IPSec tunnels, thereby simplifying the size andcomplexity of the configuration.

Note GRE tunnel keepalives configured using thekeepalive command under a GRE interface are supportedonly on point-to-point GRE tunnels.

RBSCP

RBSCP tunneling is designed for wireless or long-distance delay links with high error rates, such assatellite links. Using tunnels, RBSCP can improve the performance of certain IP protocols, such as TCPand IPSec, over satellite links without breaking the end-to-end model.

12.3(7)T The following keywords were added:

• gre ipv6 to support GRE tunneling using IPv6 as the delivery protocol.

• ipv6 to allow a static tunnel interface to be configured to encapsulateIPv6 or IPv4 packets in IPv6.

• rbscp to support RBSCP.

12.3(14)T Theipsec ipv4 keyword was added.

12.2(18)SXE Thegre multipoint keyword added.

12.2(30)S This command was integrated into Cisco IOS Release 12.2(30)S.

12.4(4)T Theipsec ipv6 keyword was added.





IPSec in IPv6 Transport

IPv6 IPSec encapsulation provides site-to-site IPSec protection of IPv6 unicast and multicast traffic.This feature allows IPv6 routers to work as a security gateway, establishes IPSec tunnels betweenanother security gateway router, and provides crypto IPSec protection for traffic from an internalnetwork when being transmitting across the public IPv6 Internet. IPv6 IPSec is very similar to thesecurity gateway model using IPv4 IPsec protection.

Examples Cayman Tunneling

The following example shows how to enable Cayman tunneling:

Router(config)# interface tunnel 0Router(config-if)# tunnel source ethernet 0Router(config-if)# tunnel destination 10.108.164.19Router(config-if)# tunnel mode cayman

GRE Tunneling

The following example shows how to enable GRE tunneling:

Router(config)# interface tunnel 0Router(config-if)# appletalk cable-range 4160-4160 4160.19Router(config-if)# appletalk zone EngineeringRouter(config-if)# tunnel source ethernet0Router(config-if)# tunnel destination 10.108.164.19Router(config-if)# tunnel mode gre


The following example shows how to configure a tunnel using IPSec encapsulation with IPv4 as thetransport mechanism:

Router(config)# crypto ipsec profile PROFRouter(config)# set transform tset!Router(config)# interface Tunnel0Router(config-if)# ip address 10.1.1.1 255.255.255.0Router(config-if)# tunnel mode ipsec ipv4Router(config-if)# tunnel source Loopback0Router(config-if)# tunnel destination 172.16.1.1Router(config-if)# tunnel protection ipsec profile PROF


The following example shows how to configure an IPv6 IPSec tunnel interface:

Router(config)# interface tunnel 0Router(config-if)# ipv6 address 2001:0DB8:1111:2222::2/64Router(config-if)# tunnel destination 10.0.0.1Router(config-if)# tunnel source Ethernet 0/0Router(config-if)# tunnel mode ipsec ipv6

Router(config-if)# tunnel protection ipsec profile profile1



Multipoint GRE Tunneling

The following example shows how to enable mGRE tunneling:

interface Tunnel0bandwidth 1000ip address 10.0.0.1 255.255.255.0

! Ensures longer packets are fragmented before they are encrypted; otherwise, the! receiving router would have to do the reassembly.

ip mtu 1416! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not! advertise routes that are learned via the mGRE interface back out that interface.

no ip split-horizon eigrp 1no ip next-hop-self eigrp 1delay 1000

! Sets IPSec peer address to Ethernet interface’s public address.tunnel source Ethernet0tunnel mode gre multipoint

! The following line must match on all nodes that want to use this mGRE tunnel.tunnel key 100000tunnel protection ipsec profile vpnprof

RBSCP Tunneling

The following example shows how to enable RBSCP tunneling:

Router(config)# interface tunnel 0Router(config-if)# tunnel source ethernet 0Router(config-if)# tunnel destination 10.108.164.19Router(config-if)# tunnel mode rbscp


appletalk cable-range Enables an extended AppleTalk network.

appletalk zone Sets the zone name for the connected AppleTalk network.

tunnel destination Specifies the destination for a tunnel interface.

tunnel protection Associates a tunnel interface with an IPSec profile.

tunnel source Sets the source address of a tunnel interface.

IPsec Virtual Tunnel Interface virtual-template


virtual-templateTo specify which virtual template will be used to clone virtual access interfaces, use thevirtual-template command in VPDN group configuration mode. To remove the virtual template from avirtual private dial-up network (VPDN) group, use theno form of this command.

virtual-template template-number

no virtual-template

Syntax Description

Command Defaults No virtual template is enabled.

Command Modes VPDN group configuration

Command History

Usage Guidelines You must first enable a tunneling protocol on the VPDN group using theprotocol (VPDN) commandbefore you can enable thevirtual-template command. Removing or modifying theprotocol commandwill remove thevirtual-template command from the VPDN group.

Each VPDN group can clone only virtual access interfaces using one virtual template. If you enter asecondvirtual-template command on a VPDN group, it will replace the firstvirtual-templatecommand.

Table 1 lists the VPDN group commands under which thevirtual-template command can be entered.Entering the VPDN group command starts VPDN group configuration mode. The table includes thecommand-line prompt for the VPDN group configuration mode and the type of service configured.

template-number Number of the virtual template that will be used to clone virtual access interfaces.



12.1(1)T This command was enhanced to enable PPPoE on ATM to accept dial-in PPP overEthernet (PPPoE) sessions.

12.2(15)T This command was enhanced to allow IP per-user attributes to be applied to aLayer 2 Tunneling Protocol (L2TP) dial-out session.

Table 2 VPDN Subgroups

VPDN Group Command Command Mode Prompt Type of Service

accept-dialin router(config-vpdn-acc-in)# Tunnel server

request-dialout router(config-vpdn-req-ou)# L2TP network server (LNS)

IPsec Virtual Tunnel Interface virtual-template


When thevirtual-template command is entered under arequest-dialoutVPDN subgroup, IP and otherper-user attributes can be applied to an L2TP dial-out session from an LNS. Before this command wasenhanced, IP per-user configurations from authentication, authorization, and accounting (AAA) serverswere not supported; the IP configuration would come from the dialer interface defined on the router.

The enhancedvirtual-template command works in a way similar to configuring virtual profiles andL2TP dial-in. The L2TP virtual access interface is first cloned from the virtual template, which meansthat configurations from the virtual template interface will be applied to the L2TP virtual accessinterface. After authentication, the AAA per-user configuration is applied to the virtual access interface.Because AAA per-user attributes are applied only after the user has been authenticated, the LNS mustbe configured to authenticate the dial-out user (configuration authentication is needed for thiscommand).

With the enhancedvirtual-template command, all software components can now use the configurationpresent on the virtual access interface rather than what is present on the dialer interface. For example,IP Control Protocol (IPCP) address negotiation uses the local address of the virtual access interface asthe router address while negotiating with the peer.

Examples The following example enables the LNS to accept an L2TP tunnel from an L2TP access concentrator(LAC) named LAC2. A virtual access interface will be cloned from virtual template 1.

vpdn-group 1accept-dialin

protocol l2tpvirtual-template 1

terminate-from hostname LAC2

The following example enables PPPoE on ATM to accept dial-in PPPoE sessions. A virtual accessinterface for the PPP session is cloned from virtual template 1.

vpdn-group 1accept-dialin

protocol pppoevirtual-template 1

The following partial example shows how to configure an LNS to support IP per-user configurationsfrom a AAA server:

!vpdn enablevpdn search-order domain!vpdn-group 1...

request-dialoutprotocol l2tprotary-group 1virtual-template 1

initiate-to ip 10.0.1.194.2local name lnsl2tp tunnel password 7094F3$!5^3source-ip 10.0.194.53

!

IPsec Virtual Tunnel Interface Feature Information for IPsec Virtual Tunnel Interfaces


The previous configuration requires a AAA profile such as the following example to specify the per-userattributes:

5300-Router1-out Password = "cisco"Service-Type = Outboundcisco-avpair = "outbound:dial-number=5550121"

7200-Router1-1 Password = "cisco"Service-Type = Outboundcisco-avpair = "ip:route=10.17.17.1 255.255.255.255 Dialer1 100 name 5300-Router1"

5300-Router1 Password = "cisco"Service-Type = FramedFramed-Protocol = PPPcisco-avpair = "lcp:interface-config=ip unnumbered loopback 0"cisco-avpair = "ip:outacl#1=deny ip host 10.5.5.5 any log"cisco-avpair = "ip:outacl#2=permit ip any any"cisco-avpair = "ip:inacl#1=deny ip host 10.5.5.5 any log"cisco-avpair = "ip:inacl#2=permit ip any any"cisco-avpair = "multilink:min-links=2"Framed-Route = "10.5.5.6/32 Ethernet4/0"Framed-Route = "10.5.5.5/32 Ethernet4/0"Idle-Timeout = 100

Related Commands

Feature Information for IPsec Virtual Tunnel InterfacesTable 3 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information abouta specific command, see the command reference documentation.

Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform.Use Cisco Feature Navigator to find information about platform support and Cisco IOS software imagesupport. Access Cisco Feature Navigator athttp://www.cisco.com/go/fn. You must have an account onCisco.com. If you do not have an account or have forgotten your username or password, click Cancel atthe login dialog box and follow the instructions that appear.

Note Table 3 lists only the Cisco IOS software release that introduced support for a given feature in a givenCisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS softwarerelease train also support that feature.

Command Description

accept-dialin Configures an LNS to accept tunneled PPP connections from a LAC and to createan accept-dialin VPDN subgroup.

protocol (VPDN) Specifies the Layer 2 Tunneling Protocol that the VPDN subgroup will use.

request-dialout Enables an LNS to request VPDN dial-out calls by using L2TP and to create arequest-dialout VPDN subgroup.

vpdn-group Defines a local, unique group number identifier.



Table 3 Feature Information for IPsec Virtual Tunnel InterfaceI

Feature Name Releases Feature Configuration Information

Static IPsec VTIs 12.3(7)T12.3(14)T12.2(33)SRA

IPsec VTIs (VTIs) provide a routable interface type forterminating IPsec tunnels and an easy way to defineprotection between sites to form an overlay network. IPsecVTIs simplify configuration of IPsec for protection ofremote links, support multicast, and simplify networkmanagement and load balancing.

Static tunnel interfaces can be configured to encapsulateIPv6 or IPv4 packets in IPv6.

Dynamic IPsec VTIs 12.3(7)T12.3(14)T

Dynamic VTIs provide efficiency in the use of IP addressesand provide secure connectivity. Dynamic VTIs allowdynamically downloadable per-group and per-user policiesto be configured on a RADIUS server. The per-group orper-user definition can be created using Xauth User or Unitygroup, or it can be derived from a certificate. Dynamic VTIsare standards based, so interoperability in a multiple-vendorenvironment is supported. IPsec dynamic VTIs allow you tocreate highly secure connectivity for remote access VPNsand can be combined with Cisco Architecture for Voice,Video, and Integrated Data (AVVID) to deliver convergedvoice, video, and data over IP networks. The dynamic VTIsimplifies VRF-aware IPsec deployment. The VRF isconfigured on the interface.

Per-User Attribute Support for Easy VPNServers

12.4(9)T This feature provides per-user attribute support on an EasyVPN server.

The following sections provide information about thisfeature:“Per-User Attribute Support for Easy VPN Servers”section on page 7

The following commands were added or modified by thisfeature:crypto aaa attribute list andcrypto isakmp clientconfiguration group.

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)



Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, andfigures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional andcoincidental.

© 2005, 2006 Cisco Systems, Inc. All rights reserved.