[c-nsp] Virtual Tunnel Interface - experiences?

[Kevin Graham]

On 11/10/05, Christian Zeng <christian at zengl.net> wrote:

> Because of this, we want to implement Virtual Tunnel Interfaces and run
> a routing protocol over the IPSEc protected tunnel. I do not like the
> idea to run DMVPN or similar setups, mainly because of the
> tunnel-in-tunnel-in-tunnel overhead and IIRC, you would need cryptomap
> ACL definitions in such a setup, too. VTI has the advantage of a single
> ip any any IPSec SA without additonal encapsulation through GRE etc.

Tried VTI under 12.4(1a) and ran into problems that I should've dug
into further but out of laziness left for someone else to open bugs on
and haven't given it a spin since. The obvious symptom was OSPF
adjacencies frequently flapping where moving back to GRE encap was
consistently clean. I'd have to dig up notes to be sure, but I _think_
the tunnel itself was flapping suggesting that SA's weren't being
refreshed properly.

This said, consider using tunnel protection w/ GRE; config is the same
the same as VTI, just specify encap gre in place of ipsec ipv4. You
will have the obvious overhead of an additional encapsulation header,
but you'll still have the configuration simplicity of VTI (and its a
one-line change per tunnel should you decide to go w/VTI).

The other big advantage is tunnel protection profiles (w/ GRE) have
been supported since atleast 12.3 mainline (can't find it in FN to be
sure futher back), so 12.3(14)T or 12.4 aren't a prerequisite.

As you plan, keep in mind that crypto maps and tunnel protection do
not play nicely together on the same router (atleast under early
12.3's)...