Hi, I could find following advantages of IPsec VTI over native IPSec VPN:
- VPN session is applied on Tunnel interface and not on physical interface. This allows "always-on" VPN tunnel through multiple physical interfaces (multiple path). - IPSec VTI encryptes packets based on routing whereas native IPSec VPN does it base on complex access-list. - IPSec VTI supports unicast and multicast traffic such as OSPF or RIP packets. Hence dynamic routing adjancies can be achieved using IPSec VTI. This is not possible with Native IPSec VPN. - Interface features like QoS, NAT, Netflow and other security related features can be applied to Virtual Tunnel interface. My queries are : - Are there any limitations for IPsec VTI compare to native IPSec VPN? (One I could find is traffic filtering cannot be done as encryption done on routing basis.....is this correct?) - Is IPSec VTI is safe and strong enough as equal to native IPSec VPN? (As per my understanding it is as VTI uses transform set and IKE proposals same as in native IPSec VPN) - Will IPSec VTI work if intermidate device doing NAT? - What are ports used for establishing IPsec VTI between two peers? (I guess same as native IPSec VPN) Can we say IPsec VTI is best compare to native IPSec VPN and we can use it instead of native IPSec VPN? Regards, D.M.Gore
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
