Hello
Cisco Modeling Labs
- What_is_CML?.md
- Provision_Templates.md
- CML Labs
CCNP ENCOR
- Study Material
  - Study Material.md
  - Podcasts.md
- Network Switching
  - SpanningTree.md
  - Layer2PortAggregation.md
  - QOS.md
- Network Routing
  - BGP.md
  - OSPF.md
  - EIGRP.md
  - NAT.md
  - Multicast
  - content/Multicast-Twitch-TV.md
  - content/Multicast-Youtube-Live.md
- Virtualization
  - Virtualizations.md
  - VTI with IPSEC
- Wireless
  - Wireless.md
- Network Assurance
  - Network Assurance.md
- Security
  - Access Control Lists
  - Control Plane Policing
  - AAA.md
- Automation
  - Automation.md
  - Python.md
- Software Defined Networking
  - Cisco_DNA-Center.md
  - Cisco_SD-Access.md
  - Cisco_SD-WAN.md
  - APIs_DNA-Center_vManage.md
Fortinet
- Fortimanager Automation
  - Study Material.md
  - Podcasts.md
- AWS Direct Connect
  - DXCON.md
AWS Advanced Network Specialty
- Study Material
  - Study Material.md
  - Podcasts.md
- AWS Direct Connect
  - DXCON.md
Music
- Videos.md

VTI with IPSEC

Acronyms

VTI: Virtual Tunnel Interface
IPsec: Internet Protocol Security
ISAKMP: Internet Security Association and Key Management Protocol
IKE: Internet Key Exchange
ESP: Encapsulating Security Payload
AH: Authentication Header
SA: Security Association
SPI: Security Parameter Index

Notes

The tunnel interface acts like a point-to-point link.
Traffic routed through Tunnel0 is automatically encrypted with IPsec.
Routing protocols (e.g., OSPF, BGP) can be enabled directly on Tunnel0.

Commands

show crypto isakmp sa - Displays the ISAKMP Security Association
show crypto ipsec sa - Displays the IPsec Security Association
show run | section crypto - Shows crypto related configurations

Config

Create a Virtual Tunnel Interface

interface Tunnel0
 ip address 192.168.1.1 255.255.255.252
 ! can also use 'ip unnumbered <interface>'
 tunnel source GigabitEthernet0/0
 tunnel destination 203.0.113.2
 tunnel mode ipsec ipv4

Define the IPsec Profile

crypto isakmp policy 10
 encryption aes 256
 hash sha256
 authentication pre-share
 group 14
 lifetime 86400

Define the IPsec Pre-Shared Key (as that was our chosen authentication method in the IPsec Profile)

crypto isakmp key MY_SECRET_KEY address 203.0.113.2

Define the IPsec Transform-Set

crypto ipsec transform-set MY_TRANSFORM_SET esp-aes 256 esp-sha-hmac
 mode tunnel

Apply the IPsec Profile to the Tunnel

interface Tunnel0
 tunnel protection ipsec profile MY_IPSEC_PROFILE

code