Friday, October 30, 2009

IPSEC VTI (virtual tunnel interface)

So imagine R2 in the middle there is the ISP, and the two bottom routers...we will call them R1 and R2 are the customer.  They both have an internet connection, but they also have a leased line inbetween them for internal communications.  Basically this IPSEC VTI we are going to use, is an encrypted tunnel over the internet that is used ONLY IF the leased line is down for some reason.  It is a brilliant idea really, and worked quite flawlessly.  Basically just set up a regular isakmp and ipsec profiles/transform-sets.  I then, instead of creating a crypto map, created a crypto profile, and then a modified tunnel interface config.  It went something like this:

R1(config)#crypto ipsec profile myprofile
R1(ipsec-profile)#set transform-set mytrans

R1(config)#int tunnel 0
R1(config-if)#ip address
R1(config-if)#tunnel source serial 0/0
R1(config-if)#tunnel destination
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile myprofile

So, the preferred path to the loopback off of R3 learned via eigrp, was over the leased line (obviously because of the lower bandwidth and delay value for the ethernet connection).  But when the ethernet interface was severed, eigrp recalculated and inserted the feasible successor into the routing table with the path over the encrypted tunnel.  Brilliant!

No comments:

Post a Comment