In this post, we’re going to configure D-VTI and S-VTI between two CSR1000v routers to demonstrate hub and spoke deployments. The two devices used as shown in the topology below are R9 and R10. R9 will act as the hub and R10 will act as a spoke.
Topology

Devices
- R9 – Site one (VPN headend one)
- R10 – Site two (VPN headend two)
R9 – Hub Configuration
Configure a Keyring for Spokes
crypto keyring KEYRING
pre-shared-key address 30.1.2.2 key cisco123
Configure an ISAKMP Policy
crypto isakmp policy 5
encr aes 256
hash sha256
authentication pre-share
group 14
Configure an ISAKMP Profile
crypto isakmp profile ISAKMP-PROFILE
keyring KEYRING
match identity address 30.1.2.2 255.255.255.255
virtual-template 1
Configure a Virtual-Template Interface
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet1
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile default
R10 – Spoke Configuration
Configure a Keyring for Hub Association
crypto keyring KEYRING
pre-shared-key address 30.1.1.2 key cisco123
Configure an ISAKMP Policy
crypto isakmp policy 5
encr aes 256
hash sha256
authentication pre-share
group 14
Configure an ISAKMP Profile
crypto isakmp profile ISAKMP-PROFILE
keyring KEYRING
match identity address 30.1.1.2 255.255.255.255
Configure a Tunnel Interface
interface Tunnel0
ip unnumbered GigabitEthernet1
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 30.1.1.2
tunnel protection ipsec profile default
Configure a Static Route for Interesting Traffic
ip route 40.0.1.0 255.255.255.0 Tunnel0
Verify Connectivity
Ping Protected Subnet at the Hub from R10
R10#ping 40.0.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Verify Crypto ISAKMP SA on R10
R10#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
30.1.1.2 30.1.2.2 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
Verify Crypto IPSec SA on R10
R10#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 30.1.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 30.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 177, #pkts encrypt: 177, #pkts digest: 177
#pkts decaps: 168, #pkts decrypt: 168, #pkts verify: 168
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 30.1.2.2, remote crypto endpt.: 30.1.1.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xB6C48C6F(3066334319)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xE5E3E55A(3856917850)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607982/2852)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB6C48C6F(3066334319)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607987/2852)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Verify Tunnel Interface is UP
R10#show int tun0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Interface is unnumbered. Using address of GigabitEthernet1 (30.1.2.2)
MTU 9938 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 30.1.2.2 (GigabitEthernet1), destination 30.1.1.2
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with GigabitEthernet1
Set of tunnels with source GigabitEthernet1, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1438 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "default")
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:15:43
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
207 packets input, 13845 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
216 packets output, 14805 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Verify ISAKMP SA on R9
R9#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
30.1.1.2 30.1.2.2 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
Verify IPSec SA on R9
R9#show crypto ipsec sa
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 30.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 30.1.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 256, #pkts encrypt: 256, #pkts digest: 256
#pkts decaps: 266, #pkts decrypt: 266, #pkts verify: 266
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 30.1.1.2, remote crypto endpt.: 30.1.2.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xE5E3E55A(3856917850)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB6C48C6F(3066334319)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2019, flow_id: CSR:19, sibling_flags FFFFFFFF80000048, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4607972/2439)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE5E3E55A(3856917850)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2020, flow_id: CSR:20, sibling_flags FFFFFFFF80000048, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4607983/2439)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Verify ISAKMP SA on R9
R9#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
43123 30.1.1.2 30.1.2.2 ACTIVE des sha256 rsig 1 07:57:53
Engine-id:Conn-id = SW:1123
IPv6 Crypto ISAKMP SA
R9#show crypto isakmp peers
Peer: 30.1.2.2 Port: 500 Local: 30.1.1.2
Phase1 id: R10.networkwizkid.com
Verify IPSec SA on R9
R9#show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: CRYPTO-MAP, local addr 30.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (40.0.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (40.0.2.1/255.255.255.255/0/0)
current_peer 30.1.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 30.1.1.2, remote crypto endpt.: 30.1.2.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xA2F4612C(2733924652)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x3ED1C05C(1053933660)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2805, flow_id: CSR:805, sibling_flags FFFFFFFF80004048, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4607998/2272)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA2F4612C(2733924652)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2806, flow_id: CSR:806, sibling_flags FFFFFFFF80004048, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4607999/2272)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Verify Virtual Access Interface on R9
R9#show int virtual-access2
Virtual-Access2 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of GigabitEthernet1 (30.1.1.2)
MTU 9938 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from Virtual-Template1
Vaccess status 0x0, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 30.1.1.2 (GigabitEthernet1), destination 30.1.2.2
Tunnel Subblocks:
src-track:
Virtual-Access2 source tracking subblock associated with GigabitEthernet1
Set of tunnels with source GigabitEthernet1, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1438 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "default")
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:21:13
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
289 packets input, 19185 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
279 packets output, 18165 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Note: While testing on Cisco IOS XE Software, Version 16.06.07, I realised that when changes to the above configuration were made, the tunnel would still establish however, traffic would not pass through the tunnel. Upon restarting both devices, the interesting traffic would begin to start passing through the tunnel again.