Add a VTI Interface
For configuring a route-based site-to-site VPN, you must create a VTI interface on the devices at both the nodes of the VTI tunnel.
When you specify the tunnel type as dynamic and configure the related parameters, the management center generates a dynamic virtual template. The virtual template dynamically generates the virtual access interface that is unique for each VPN session.
Before you begin
Configure a loopback interface for redundancy of static and dynamic VTI VPN tunnels. For more information, see Configure a Loopback Interface.
For a Secure Firewall 1200, Secure Firewall 3100 or Secure Firewall 4200 device, IPsec flow offload is also used when the device's VTI loopback interface is enabled.
Procedure
Step 1 | Choose Devices > Device Management. |
Step 2 | Click the Edit icon next to the device on which you want to create a VTI interface. |
Step 3 | Choose Add Interfaces > Virtual Tunnel Interface. |
Step 4 | Select the Tunnel Type as Static or Dynamic. |
Step 5 | Enter the name and description for the interface. By default, the interface is enabled. Ensure that you specify a name that is not longer than 28 characters. |
Step 6 | (Optional) Choose a security zone from the Security Zone drop-down list to add the static VTI or dynamic VTI interface to that zone. If you want to perform traffic inspection based on a security zone, add the VTI interface to the security zone and configure an access control (AC) rule. To permit the VPN traffic over the tunnel, you need to add an AC rule with this security zone as the source zone. |
Step 7 | Enter the priority to load balance the traffic across multiple VTIs in the Priority field. The range is from 0 to 65535. The lowest number has the highest priority. This option is not applicable for dynamic VTI. |
Step 8 | Depending on the tunnel type, do one of the following:
|
Step 9 | (Optional for dynamic VTI) Choose the tunnel source interface from the Tunnel Source drop-down list. The VPN tunnel terminates at this interface, a physical or loopback interface. Choose the IP address of the interface from the drop-down list. You can select the IP address irrespective of the IPsec tunnel mode. In case of multiple IPv6 addresses, select the address that you want to use as the tunnel endpoint. |
Step 10 | Under IPSec Tunnel Mode, click the IPv4 or IPv6 radio button to specify the traffic type over the IPsec tunnel. |
Step 11 | Under IP Address:
|
Step 12 | Click OK. |
Step 13 | Click Save. |