IPSec VTI Virtual Tunnel Interface

Hello Brian

Yes, that explanation makes sense. You can also add the fact that all of the IKE policies are configured not within a VRF configuration mode, but within the global configuration mode. This also reinforces the fact that these policies are global and can be accessed by any entity within the device.

Thanks for sharing that information, it’s always helpful and adds to the value of the forum.

I hope this has been helpful!



I hope you are all doing well.
If we have crypto keepalive configured in global settings, do we still need keepalive configured under VTI interface and how this command works under tunnel interface?
Thanks for help.

Best regards,

Hello Milan

For the benefit of others reading, the crypto keepalive feature is part of what is known as the IPsec Dead Peer Detection Periodic Message Option. You can find out more about this at this NetworkLessons Note about crypto keepalive.

Now concerning the VTI keepalives, according to this Cisco documentation:

A limitation of VTI is the lack of an interface keepalive equivalent to a GRE keepalive. Many network managers prefer to use a GRE keepalive and a redistributed static route to the tunnel interface instead of using a routing protocol hello and adjacency over the interface. Although the routing protocol and GRE keepalive can be functionally equivalent, there may be less CPU overhead incurred by using a GRE keepalive.

So the keepalive on a VTI interface essentially does nothing. So you must employ the keepalive on the global crypto configuration.

I hope this has been helpful!


It is very helpful, thank you for explanation :slight_smile: