Activating an IPsec profile on a VTI

An IPsec profile is activated by binding it to a virtual tunnel interface (VTI) that is configured as an IPsec VTI.

The IPsec profile must be defined and configured before binding to the VTI. The tunnel interface must be configured also. There is an example at the end of this task that shows the configuration steps in order.
Note: To avoid generating traffic over a stack link, it is recommended that both incoming and outgoing paths to the tunnel endpoints be on the unit where the ICX7400-SERVICE-MOD module is inserted.

You can activate an IPsec profile on a VTI by performing the following task.

  1. From privileged EXEC mode, enter global configuration mode.
    
    device# configure terminal
    
  2. Enter configuration mode for an IPsec tunnel.
    
    device (config)# interface tunnel 1 
    
  3. Set the mode of the tunnel to IPsec.
    
    device(config-tnif-1)# tunnel mode ipsec ipv4
    
  4. Specify the IPsec protection profile for the tunnel.
    
    device(config-tnif-1)# tunnel protection ipsec profile prof_blue
    
  5. Return to privileged EXEC mode.
    
    device(config-tnif-1)# end
    
  6. Verify that the IPsec profile is attached to the VTI.
    
    device# show running-config interface tunnel 1
    !
    interface tunnel 1
     tunnel mode ipsec ipv4
     tunnel protection ipsec profile prof_blue
    !
    

The following example shows how to configure a VTI, set the mode of the tunnel to IPsec, and bind an IPsec profile to the VTI.


device# configure terminal
device (config)# interface tunnel 1
device(config-tnif-1)# vrf forwarding blue
device(config-tnif-1)# tunnel source ethernet 1/1/1
device(config-tnif-1)# tunnel destination 10.2.2.1
device(config-tnif-1)# ip address 11.1.1.1/24

device(config-tnif-1)# tunnel mode ipsec ipv4
device(config-tnif-1)# tunnel protection ipsec profile prof_blue