Cisco IOS VTI VPN

Virtual Tunnel Interface or VTI (Also known as Route Based VPN) are an excellent choice for site to site IPSec encrypted VPNs terminating on Cisco IOS devices. You can always use the older Crypto maps but I find VTIs so much easier to deal with and to debug. If you are terminating on an ASA firewall or another non Cisco device Crypto Maps (or Policy Based VPNs as they’re known) may be your only choice, but where you have a choice, choose VTIs.

In Jeremy Stretch’s Excellent Blog he covers the differences in these two posts.
http://packetlife.net/blog/2011/aug/15/policy-based-vs-route-based-vpns-part-1/
http://packetlife.net/blog/2011/aug/17/policy-based-vs-route-based-vpns-part-2/

I won’t go into what each stage of the VTI does. This is just a quick example to get you started so you can research the finer points yourself and learn what it all does.

You generally need at least IPSECURITY IOS image or AdvanceIP for VPNs to work in any variation of the IOS.

The following is a very simple example of setting up a basic VTI site to site with IPSec Encryption.

LAN(a) -----  Router1  ~~~WAN~~~  Router2  ----- LAN(b)
IP address assumptions.  But of course, use your own addressing schema...
LAN(a) Subnet - 192.168.10.0/24
LAN(b) Subnet - 192.168.50.0/24
R1LAN Address - 192.168.10.1
R2LAN Address - 192.168.50.1
R1WAN Address - 1.2.3.4
R2WAN Address - 6.8.10.12

On Router1

crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 0 [Enter PSK Here] address 6.8.10.12 no-xauth
crypto ipsec transform-set tsVTI esp-aes esp-md5-hmac 
crypto ipsec profile profVTI
 set transform-set tsVTI 
interface Loopback0
 description Loopback Interface for UnNumbered VTIs
 ip address 10.1.1.1 255.255.255.252
interface Tunnel0
 description LAN(a) -- LAN(b)
 ip unnumbered Loopback0
 tunnel source Dialer0
 tunnel destination 6.8.10.12
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile profVTI

On Router2

crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 0 [Enter the Same PSK here] address 1.2.3.4 no-xauth
crypto ipsec transform-set tsVTI esp-aes esp-md5-hmac 
crypto ipsec profile profVTI
 set transform-set tsVTI 
interface Loopback0
 description Loopback Interface for UnNumbered VTIs
 ip address 10.1.1.2 255.255.255.252
interface Tunnel0
 description LAN(a) -- LAN(b)
 ip unnumbered Loopback0
 tunnel source Dialer0
 tunnel destination 1.2.3.4
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile profVTI

Now all that is needed is a route for each router to be able to find the other LAN down the VPN Tunnel. The most basic example, shown here, is a static route on each router but you may want to use a proper routing protocol.

Router1(Config)# ip route 192.168.50.0 255.255.255.0 10.1.1.1
Router2(Config)# ip route 192.168.10.0 255.255.255.0 10.1.1.2

You can also use the form ip route 192.168.50.0 255.255.255.0 tunnel 0 but this may have issues with proxy arp traffic if there is a lot of traffic on the tunnel (SIP traffic for example).

You may also want to keep in mind that if you have an ACL or some firewall variant protecting your WAN facing interface you will need to allow UDP 500 and ESP in, at a minimum, for this to work.