IPSec Static Virtual Tunnel Interface

Hello,

I noticed in the lesson “Cisco IPsec Tunnel Mode Configuration” we didn’t configure any tunnel interface and i’m not sure i understand correclty.

Is that correct to say:

  • “Cisco IPsec Tunnel Mode Configuration”: We use IPsec Tunnel mode so IPsec will create the new header without the need for a tunneml interface. The source IP for the new header will be the IP of the interface where we apply the crypto map. The destination IP of the new header will be the one configured with the set peer inside the crypto map
  • “Encrypted GRE Tunnel with IPSEC”: In that case we want to use a GRE tunnel so we need to configure the tunnel on the interface. GRE will be adding the new header, IPsec will just be used for encryption, so we use IPsec transport mode
  • “IPSec Static Virtual Tunnel Interface”: This is similar to “Cisco IPsec Tunnel Mode Configuration” but with this newer method, we need to apply an IPsec profile on a tunnel interface. So we create a tunnel but we specify we will not use the standard GRE but IPsec.

Thanks,

Hello David

Yes you are correct in your descriptions. These are all different methods of emplying encryption on traffic that is exchanged between two routers. The IPsec tunnel mode solution is policy based. In this case, the traffic is sent through the IPSec tunnel based on an ACL that defines what traffic is to be protected by the IPSec tunnel. It doesn’t create a virtual tunnel interface in the routing table of the router.

The IPsec Static VTI however operates a bit differently. It’s a route-based IPSec VPN method where the tunnel is seen as a point-to-point connection. Static VTI allows for routing protocols to run over the IPSec tunnel. The tunnel is considered as an interface, so it can be assigned an IP address, included in the routing process, and even support dynamic routing protocols and multicast routing.

I hope this has been helpful!

Laz

Hi In EVE NG routes tunnel line protocol is down after adding tunnel mode ipsec ipv4
is any one facing same issue. Please let me know the solution.

Hello Ravishankar

If your tunnel is going down after the tunnel mode ipsec ipv4 command, it may be due to a missing or incorrect configuration somewhere in the setup. There is no easy way to determine what this may be, you will have to perform some troubleshooting steps to determine why this is happening. Ensure that your configs on both devices are set correctly. You can also use some debug commands to determine the reason why the tunnel interface is going down. Some of these include:

  • debug crypto isakmp
  • debug crypto ipsec
  • debug crypto engine

Some additional show commands that can help you out include:

Let us know how you get along, and inform us of your findings so that we can help you further.

I hope this has been helpful!

Laz

Hi,
I reproduced the lab with EVE-NG and IOL 17.12.1.
When trying to ping H2 from H1 packets are dropped on R1 with the following message:

R1#
*Sep 30 15:34:55.381: CEF-Drop: Packet from 192.168.1.100 (Et0/1) to 192.168.2.254, adjacency fixup

I activated “debug ip cef drops” on R1 to get this message.

Any idea ?
BR, Damien.
---
Sorry … just solved ! by removing “ip cef” from R1 and R2 :wink:
May be an issue related to the IOL I’m using ?
BR, Damien.

Hello Damien

Thanks for sharing your solution with us… Just a comment on the particular error message you’re getting. This is a somewhat common issue that is encountered when using CEF. The “adjacency fixup” message typically indicates that CEF couldn’t properly find an entry for the next-hop address in its adjacency table, leading to packet drops.

Removing ip cef resolved the issue because it forces the router to revert to process switching, which may handle the packets differently, particularly in simulation environments like EVE-NG with specific IOS versions. But I’m still not quite sure of the reason for your original CEF malfunction. It could be due to incompatibility of the IOS, or maybe some CEF parameter that was configured? If you’re interested, consider doing some troubleshooting with CEF activated, we’d be interested in hearing your results…

I hope this has been helpful!

Laz