Virtual Tunnel Interface or VTI (Also known as Route Based VPN) are an excellent choice for site to site IPSec encrypted VPNs terminating on Cisco IOS devices. You can always use the older Crypto maps but I find VTIs so much easier to deal with and to debug. If you are terminating on an ASA firewall or another non Cisco device Crypto Maps (or Policy Based VPNs as they’re known) may be your only choice, but where you have a choice, choose VTIs.
In Jeremy Stretch’s Excellent Blog he covers the differences in these two posts.
http://packetlife.net/blog/2011/aug/15/policy-based-vs-route-based-vpns-part-1/
http://packetlife.net/blog/2011/aug/17/policy-based-vs-route-based-vpns-part-2/
I won’t go into what each stage of the VTI does. This is just a quick example to get you started so you can research the finer points yourself and learn what it all does.
You generally need at least IPSECURITY IOS image or AdvanceIP for VPNs to work in any variation of the IOS.
The following is a very simple example of setting up a basic VTI site to site with IPSec Encryption.
LAN(a) ----- Router1 ~~~WAN~~~ Router2 ----- LAN(b) IP address assumptions. But of course, use your own addressing schema... LAN(a) Subnet - 192.168.10.0/24 LAN(b) Subnet - 192.168.50.0/24 R1LAN Address - 192.168.10.1 R2LAN Address - 192.168.50.1 R1WAN Address - 1.2.3.4 R2WAN Address - 6.8.10.12
On Router1
crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 crypto isakmp key 0 [Enter PSK Here] address 6.8.10.12 no-xauth crypto ipsec transform-set tsVTI esp-aes esp-md5-hmac crypto ipsec profile profVTI set transform-set tsVTI interface Loopback0 description Loopback Interface for UnNumbered VTIs ip address 10.1.1.1 255.255.255.252 interface Tunnel0 description LAN(a) -- LAN(b) ip unnumbered Loopback0 tunnel source Dialer0 tunnel destination 6.8.10.12 tunnel mode ipsec ipv4 tunnel protection ipsec profile profVTI
On Router2
crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 crypto isakmp key 0 [Enter the Same PSK here] address 1.2.3.4 no-xauth crypto ipsec transform-set tsVTI esp-aes esp-md5-hmac crypto ipsec profile profVTI set transform-set tsVTI interface Loopback0 description Loopback Interface for UnNumbered VTIs ip address 10.1.1.2 255.255.255.252 interface Tunnel0 description LAN(a) -- LAN(b) ip unnumbered Loopback0 tunnel source Dialer0 tunnel destination 1.2.3.4 tunnel mode ipsec ipv4 tunnel protection ipsec profile profVTI
Now all that is needed is a route for each router to be able to find the other LAN down the VPN Tunnel. The most basic example, shown here, is a static route on each router but you may want to use a proper routing protocol.
Router1(Config)# ip route 192.168.50.0 255.255.255.0 10.1.1.1 Router2(Config)# ip route 192.168.10.0 255.255.255.0 10.1.1.2 You can also use the form ip route 192.168.50.0 255.255.255.0 tunnel 0 but this may have issues with proxy arp traffic if there is a lot of traffic on the tunnel (SIP traffic for example).
You may also want to keep in mind that if you have an ACL or some firewall variant protecting your WAN facing interface you will need to allow UDP 500 and ESP in, at a minimum, for this to work.