Guidelines for virtual tunnel interfaces

VTIs are only configurable in IPsec mode.

Dynamic VTI supports only Threat Defense devices from version 7.3.

You can use static, BGP, EIGRP IPv4, OSPFv2/v3 routes for traffic using the tunnel interface.

In an HA configuration with dynamic routing, the standby device cannot access the known subnets through the VTI tunnels as these tunnels are created with the active IP address.

For static and dynamic VTI, ensure that you don't use the borrow IP interface as the tunnel source IP address for any VTI interface.

When you configure a route-based site-to-site VPN using static or dynamic VTI interfaces, ensure that the value of the TTL hop is more than one if you use BGP.

If NAT has to be applied, the IKE and ESP packets are encapsulated in the UDP header.

Ensure that you remove unused transform sets from route-based IKE VPN configurations. If you have unused transform sets, the VPN tunnels may not come up and encapsulation and decapsulation will not happen. Use show run crypto and show VPN-sessiondb detail l2l commands to view the transform sets.

VTI supports IPv6 addresses.

You can use an IPv6 address for the tunnel source interface and use the same address as the tunnel endpoint.

The Cloud-Delivered Firewall Management Center supports the following combinations of VTI IP (or internal networks IP version) over public IP versions: IPv6 over IPv6, IPv4 over IPv6, IPv4 over IPv4, and IPv6 over IPv4.

VTI supports static and dynamic IPv6 addresses as the tunnel source and destination.

The tunnel source interface can have IPv6 addresses and you can specify the tunnel endpoint address. If you don't specify the address, by default, the Firewall Threat Defense uses the first IPv6 global address in the list as the tunnel endpoint.

Static VTI supports IKE v1 and v2.

Dynamic VTI supports only IKE version v2, and uses IPsec for sending and receiving data between the tunnel's source and destination.

IKE and IPsec security associations are re-keyed continuously regardless of data traffic in the tunnel. This ensures that VTI tunnels are always up.

Tunnel group name must match what the peer sends as its IKEv1 or IKEv2 identity.

For IKEv1 in LAN-to-LAN tunnel groups, you can use names which aren't IP addresses, if the tunnel authentication method is digital certificates and/or the peer is configured to use aggressive mode.

MTU for VTIs is automatically set based on the underlying physical interface.

For dynamic VTI, the virtual access interface inherits MTU from the configured tunnel source interface. If you don't specify the tunnel source interface, the virtual access interface inherits the MTU from the source interface from which the threat defense accepts the VPN session request.

Configure a maximum of 1024 static and dynamic VTIs in a device.

While calculating the VTI count, consider nameif subinterfaces, portchannel configurations, and platform VLAN limitations.

If you configure more than 400 VTIs in a device in a high-availability setup, configure 45 seconds as the unit holdtime for the Firewall Threat Defense HA.

VTI supports IPv6 BGP.

VTI supports IPv4 EIGRP.

VTI supports IPv4 and IPv6 OSPF.

Configure spokes' static VTIs in an ECMP zone to load balance application traffic. If you do not configure the ECMP zone, the remaining paths act as backup paths when the primary path goes down.

You can associate VTI interfaces with ECMP zones and configure ECMP static routes to achieve these benefits:

• Load balancing (Active/Active VTIs)—Connection can flow over any of the parallel VTI tunnels.

• Seamless connection migration—When a VTI tunnel becomes unreachable, the flows are seamlessly migrated to another VTI interface that is configured in the same zone.

• Asymmetric routing—Forward traffic flow through one VTI interface and configure the reverse traffic flow through another VTI interface.

For information on configuring ECMP, see ECMP routing methods.

By default, all traffic sent through a VTI is encrypted.

Access control rules can be applied on a VTI interface to control traffic through VTI.

For route-based VPNs, Bypass Access Control policy for decrypted traffic (sysopt connection permit-VPN) does not work. You must always create access control rules to allow route-based VPN traffic.

If you use dynamic crypto maps and dynamic VTIs in your site-to-site VPNs, only the dynamic VTI tunnels will come up. This behaviour occurs because both the crypto maps and dynamic VTIs try to use the default tunnel group. We recommend that you migrate your site-to-site VPNs to dynamic VTIs or use static crypto maps with their own tunnel-groups.

VTI and crypto map configurations can coexist on the same physical interface if the peer address configured in the crypto map and the tunnel destination for the VTI are different.

Dynamic VTI supports only the hub and spoke topology in the management center.

We recommend that you configure only a single hub for a route-based hub and spoke topology. To configure a topology with multiple hubs for a set of spokes, with one hub as the backup hub, configure multiple topologies with a single hub and the same set of spokes.

A dynamic VTI and its corresponding protected network interface must be part of the same virtual router.

You must map the borrow IP interface and the dynamic VTI to the same virtual router.

User-defined virtual routers support only BGPv4/v6 and OSPFv2 routing protocols.

A tunnel source interface can be in a different user-defined virtual router than that associated with the dynamic VTI.