VTI – Virtual Tunnel Interface has been invented as a simple deployment of VPN in conjunction with IPSec. Easiness of implementation, multicasts and QoS support, makes VTI interesting alternative to GRE Tunnel.
Virtual Tunnel Interface
Unlike in VPN with GRE tunnel encapsulation in VTIs encapsulation has to be changed to IPsec IPv4. We don’t have to use non routable addresses for our tunnel, we may use loopbacks. VTI supports routing protocols, Qos (what has a meaning in VoIP), NAT.
As you can see, configuration boils down to implementing standard IPSec configuration and binding its to the tunnel interface. The Tunnel contains interesting command “ip unnumbered” which allows us to create the tunnel on loopback interfaces. As a tunnel mode “ipsec ipv4” has to be chosen otherwise we get simple GRE tunnel with a greater overhead.
Of course static VTI may be replaced with dynamic VTI and implemented in Hub & Spoke topology
Lab with VTI implementation and necessary commands looks in this way (click to enlarge):