Simple, Secure and Scalable VPNs with Virtual Tunnel Interface

VTIs provide a simpler and more scalable way to configure virtual private network (VPN) connections to pass through firewalls. That has become a critical capability for organizations that must make their corporate networks available to large numbers of mobile and remote employees.

A VPN is usually the solution of choice for creating secure connections between remote users and private corporate networks. VPNs create an encrypted connection to an external server or gateway, which then routes traffic across the public Internet to the corporate network. However, VPNs are not a perfect solution.

For one, they were never meant to provide all-day network connectivity for a company’s entire workforce. Pre-pandemic, most companies only needed to create tunnels for a few employees for short periods of time. Accommodating the exponential increase in remote traffic is a huge management challenge.

Complex Configurations

There are multiple steps required to establish a tunnel between two peers with a traditional policy-based VPN based upon the IP Security (IPsec) suite of protocols. Administrators must develop security policies that define what traffic will be encrypted, where the traffic will be sent, the local IP address to be used for the transmission, and other factors. Additionally, they must create access control lists (ACLs) that specify the permitted source and destination IP addresses. The ACLs and security policies are all included in a crypto map that is part of the VPN profile for peer connection.

Such efforts may be manageable for the occasional connection, but aren’t practical for large numbers of employees dialing into to a central router daily. It’s simply not feasible to manually configure every employee as a peer in all crypto map entries. Because remote users typically have dynamically assigned IP addresses, there’s just no way to know in advance a remote peer’s address and program that into a crypto map.

Virtual tunnel interfaces support an alternative approach that reduces complexity and improves scalability. Sometimes called a “more flexible VPN,” VTI is route-based rather than policy-based. Dynamic routing protocols make traffic distribution decisions based on routing tables. As such, VTI does not require configuring crypto map access lists and mapping them to interfaces.

Better Security and Resilience

This approach makes it easier to modify or update connections as well — you can simply make changes to the routing table. In the policy-based approach, you’d have to make changes to crypto maps and access lists, and then update VPN connection profiles to account for those changes.

Encryption also becomes more straightforward. In an IPsec VTI, encryption occurs in the tunnel without the need for policy matching. All traffic is encrypted when it is forwarded to the tunnel interface, and it is automatically decrypted when it reaches the other end of the tunnel. In addition, you can apply protections such as URL and application filtering within the tunnel. The VTI approach offers improved resilience by allowing you to select a backup interface for the tunnel.

Although VPNs are generally well understood by IT professionals, they require a good deal of management expertise. The policies that drive tunneling, data transport, encryption and authentication are quite complex, particularly for organizations with limited IT staff resources. By adding support for virtual tunnel interfaces in its FTD and FCM solutions, Cisco offers enables a simpler, more scalable and more secure alternative. Contact us to learn more.