For this tidbit I want to define what SVTIs & DVTIs are, what they do, & when to use one versus the other.
So to start, a VTI is a virtual tunnel interface that are used in IPsec configurations. The use of IPsec VTIs provides the ability to simplify configuration when you need to provide protection for remote access. These types of interfaces allow you to uniquely configure virtual interfaces with custom configuration. One of the main benefits of an IPsec VTI is that the configuration can be unique & we no longer have to statically map an IPsec session to a physical interface. There are two types of VTIs so let's discuss what they are & when to use them:
Static (SVTI) = tunnels used in site-to-site IPsec connections & are often referred to as "always-on".
Dynamic (DVTI) = tunnels provide on-demand unique virtual interfaces for each VPN SA. Configuration for DVTIs is mirrored from a virtual template. We often use these for hub & spoke topologies. However, DVTIs can also support several SVTIs. These VTIs are deleted when both IKE & IPsec SAs to the respective peer are terminated.
Lastly, here are some notable IPsec VTI restrictions:
Fragmentation is not supported over IPsec tunnel.
IPsec transform set must be configured in tunnel mode only.
IKE SAs are bound to the respective VTI
IPsec SA traffic selectors support only one IPsec SA that gets attached to the VTI interface
To see more about SVTIs & DVTIs check out the other VPN related posts. Cheers!