Kingsley,
Is this a question or statement? Not sure. Dnyaneshwar, As VTI is a re-design of legacy VPN all the security features of the older methodology are there but you just have new advantages. If you are familiar with the two, to be honest there is no reason not to use the newer methodology over the legacy in a production environment due to the simplicity of VTI's. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, September 21, 2009 2:46 AM To: Dnyaneshwar Gore Cc: [email protected] Subject: Re: [OSL | CCIE_Security] IPSec Virtual Tunnel Interface queries Hi D.M.Gore It's like comparing Apples and Oranges. Both of them have their own advantages and dis-advantages. I do like to change the subject here - VTI Vs Physical Interface Based IPSec. Earlier, we just define a crypto map with interesting traffic, transform set and the peer. This is a static IPSec. With VTI, there are two types - Static VTIs (SVTI) and Dymanic VTIs (DVTI). SVTI - You use Tunnel interface in "IPSec mode". All you have to do, associate an IPSec profile. Any traffic routed through this interface is encrypted. This is static and point to point. The tunnel interface is sourced to a physical interface. SVTI is like site to site VPN, where the peers should be configured on both sides DVTI - You use virtual-templalte. This is dymamic. Virtual-access is created, when any traffic is routed through the interface. Usually, virtual-template is to the features. For VTI based EzVPN, the VTI is associated to the ISAKMP profile. DVTI is like dynamic crypto maps. One like is configured with peer configuration. Each dynamic peer connecting to the server, will have create a virtual-access. Based on the requirement, we need to decide which to take. With regards Kings On Mon, Sep 21, 2009 at 9:23 AM, Dnyaneshwar Gore <[email protected]> wrote: Hi, I could find following advantages of IPsec VTI over native IPSec VPN: * VPN session is applied on Tunnel interface and not on physical interface. This allows "always-on" VPN tunnel through multiple physical interfaces (multiple path). * IPSec VTI encryptes packets based on routing whereas native IPSec VPN does it base on complex access-list. * IPSec VTI supports unicast and multicast traffic such as OSPF or RIP packets. Hence dynamic routing adjancies can be achieved using IPSec VTI. This is not possible with Native IPSec VPN. * Interface features like QoS, NAT, Netflow and other security related features can be applied to Virtual Tunnel interface. My queries are : * Are there any limitations for IPsec VTI compare to native IPSec VPN? (One I could find is traffic filtering cannot be done as encryption done on routing basis.....is this correct?) * Is IPSec VTI is safe and strong enough as equal to native IPSec VPN? (As per my understanding it is as VTI uses transform set and IKE proposals same as in native IPSec VPN) * Will IPSec VTI work if intermidate device doing NAT? * What are ports used for establishing IPsec VTI between two peers? (I guess same as native IPSec VPN) Can we say IPsec VTI is best compare to native IPSec VPN and we can use it instead of native IPSec VPN? Regards, D.M.Gore _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
