Step-by-Step Guide to sVTI VPN Configuration in Cisco IOS

Static Virtual Tunnel Interface (sVTI) in Cisco IOS 15.9(3)M10

The advent of Static Virtual Tunnel Interface (sVTI) has revolutionized VPN design in Cisco IOS, especially for GRE and IPSec deployments. While GRE offers simplicity and multicast support, its combination with IPSec historically introduced MTU challenges and configuration complexity.

The introduction of sVTI addresses these issues by simplifying encryption, improving performance, and reducing operational overhead.

---

What is Static Virtual Tunnel Interface (sVTI)?

sVTI is a tunnel interface with IPSec encapsulation built in. It eliminates the need for GRE, crypto maps, and complex ACLs.

• Native multicast support without extra configuration
• No GRE overhead (saves 56–76 bytes)
• Simplified IPSec deployment
• NAT and QoS support on the tunnel interface

Pre-15.9(3)M10: Traditional GRE + IPSec

Crypto Maps and GRE Traffic

GRE encapsulated traffic was encrypted using crypto maps applied to physical interfaces, relying heavily on crypto ACLs.

IPSec Profiles with Tunnel Protection

IPSec profiles could be applied using tunnel protection, but still required careful manual configuration.

Challenges:

• MTU issues and packet fragmentation
• 56–76 bytes of GRE + IPSec overhead
• Complex crypto ACL and policy management

Cisco IOS 15.9(3)M10: sVTI Breakthrough

Simplified Configuration

IPSec is automatically applied to all traffic sourced from the tunnel interface. No crypto maps or ACLs required.

Improved MTU Handling

Default MTU is set to 1442 bytes, eliminating fragmentation caused by GRE encapsulation.

Automatic IPSec Security Associations

IPSec SAs are automatically created with 0.0.0.0 → 0.0.0.0, removing the need for crypto ACLs.

CLI Output Sample

Router# show crypto ipsec sa
local ident (addr/mask/prot/port): (0.0.0.0/0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0/0/0)
status: ACTIVE
    

Advanced Feature Support

NAT and QoS are now natively supported on the sVTI interface, just like physical interfaces.

Example sVTI Configuration

interface Tunnel10
 ip address 10.10.10.1 255.255.255.252
 tunnel source GigabitEthernet0/0
 tunnel destination 203.0.113.2
 tunnel mode ipsec ipv4

💡 Key Takeaways

• sVTI removes GRE, crypto maps, and ACL complexity
• Native multicast with lower packet overhead
• Default MTU of 1442 prevents fragmentation
• Automatic IPSec SA creation simplifies deployment
• Improved performance and operational efficiency

Conclusion

Cisco IOS 15.9(3)M10 marks a major shift in VPN design. sVTI provides a cleaner, faster, and more maintainable approach to secure tunneling, making it ideal for modern enterprise and service provider networks.

© Interactive Cisco VPN Learning Guide

The Evolution of GRE over IPsec: Old Way vs. New Way Post-ASA 9.7

🔐 GRE over IPsec (Cisco ASA 9.7) – Old vs New Way Explained

This guide explains how GRE over IPsec evolved in Cisco ASA environments. We will break down the old complex method and the new simplified ASA 9.7 method in a structured, beginner-friendly way.

---

📚 Table of Contents

• Introduction
• What is GRE?
• What is IPsec?
• Simple Networking Math (Encapsulation Model)
• Old Way (Pre-ASA 9.7)
• New Way (ASA 9.7+)
• Comparison Table
• CLI Output Examples
• Key Takeaways
• Related Articles

---

🌐 Introduction

GRE over IPsec is used to securely connect remote networks over the internet.

It combines:

• GRE → for encapsulating multiple protocols
• IPsec → for encryption and security

Together, they create a secure tunnel between sites.

---

📦 What is GRE?

Generic Routing Encapsulation (GRE) is a tunneling protocol.

GRE = "Wraps packets inside another packet"

Example:

Original Packet → [IP Packet]
GRE Tunnel → [GRE Header + IP Packet]

---

🔒 What is IPsec?

IPsec encrypts traffic so it cannot be read during transmission.

IPsec = "Locks the packet so only receiver can open it"

It ensures:

• Confidentiality 🔐
• Integrity 🧾
• Authentication ✔️

---

📐 Simple Math Behind GRE + IPsec Encapsulation

Let’s understand overhead in simple form.

Original Packet Size:

\[ P = 1500 \text{ bytes} \]

GRE adds overhead:

\[ G = 24 \text{ bytes} \]

IPsec adds overhead:

\[ I = 50 \text{ bytes} \]

Total Packet Size:

\[ T = P + G + I \]

\[ T = 1500 + 24 + 50 = 1574 \text{ bytes} \]

👉 More encapsulation = more overhead = slightly lower performance

---

⚠️ Old Way (Pre-ASA 9.7)

This method was complex and required multiple devices.

Key Problems

• GRE handled by routers
• IPsec handled by ASA
• More configuration effort
• Higher latency

Configuration Example

interface Tunnel0 ip address 192.168.1.1 255.255.255.0 tunnel source 10.1.1.1 tunnel destination 10.2.2.2 access-list GRE_ACL permit gre host 10.1.1.1 host 10.2.2.2 crypto map GRE_MAP 10 match address GRE_ACL crypto map GRE_MAP 10 set peer 10.2.2.2 crypto map GRE_MAP interface outside

CLI Output

Show Output

Tunnel Status: UP
Crypto Map Applied: YES
Routing: STATIC

---

🚀 New Way (ASA 9.7+)

Cisco introduced native GRE support in ASA 9.7.

Now ASA handles BOTH GRE + IPsec together

Benefits

• Less configuration
• No external router required
• Better performance
• Supports dynamic routing

Configuration Example

interface Tunnel0 ip address 192.168.1.1 255.255.255.0 tunnel source interface outside tunnel destination 10.2.2.2 tunnel protection ipsec profile GRE_IPSEC_PROFILE

---

📊 Old vs New Comparison

Feature	Old Way	New Way (ASA 9.7+)
GRE Handling	Router	ASA
IPsec Handling	ASA	ASA
Complexity	High	Low
Routing Support	Static mostly	Dynamic (OSPF/BGP)
Performance	Lower	Higher

---

🖥️ CLI Output Simulation

New ASA Output

Tunnel0 is UP
IPsec SA Established
GRE encapsulation active
Dynamic Routing: OSPF Enabled

Old Setup Output

Tunnel0 is UP
Crypto Map Applied
External Router Required
Routing: STATIC ONLY

---

💡 Key Takeaways

• GRE = packet encapsulation
• IPsec = encryption layer
• Old method = complex multi-device setup
• New method = unified ASA solution
• Performance improves with ASA 9.7+

---

🎯 Final Conclusion

The transition from the old GRE-over-IPsec method to ASA 9.7’s integrated approach significantly reduces complexity and improves performance.

For modern enterprise networks, the new method is clearly the recommended design.