SVTIs & DVTIs Tidbit

For this tidbit I want to define what SVTIs & DVTIs are, what they do, & when to use one versus the other.

So to start, a VTI is a virtual tunnel interface that are used in IPsec configurations. The use of IPsec VTIs provides the ability to simplify configuration when you need to provide protection for remote access. These types of interfaces allow you to uniquely configure virtual interfaces with custom configuration. One of the main benefits of an IPsec VTI is that the configuration can be unique & we no longer have to statically map an IPsec session to a physical interface. There are two types of VTIs so let's discuss what they are & when to use them:

Static (SVTI) = tunnels used in site-to-site IPsec connections & are often referred to as "always-on".

Dynamic (DVTI) = tunnels provide on-demand unique virtual interfaces for each VPN SA. Configuration for DVTIs is mirrored from a virtual template. We often use these for hub & spoke topologies. However, DVTIs can also support several SVTIs. These VTIs are deleted when both IKE & IPsec SAs to the respective peer are terminated.

Lastly, here are some notable IPsec VTI restrictions:

  • Fragmentation is not supported over IPsec tunnel.

  • IPsec transform set must be configured in tunnel mode only.

  • IKE SAs are bound to the respective VTI

  • IPsec SA traffic selectors support only one IPsec SA that gets attached to the VTI interface

To see more about SVTIs & DVTIs check out the other VPN related posts. Cheers!


Recent Posts

See All

ASA MultiContext Mode Packet Classification Tidbit

In order to understand how traffic flows through the segregated contexts it is important to understand how the ASA determines the context in which it will send the packets. This process is known as c

ASA Security Contexts Tidbit

In this tidbit I want to explain what Cisco ASA Security Contexts are in this blog. A very plain & simple way to put it, security contexts are a way to logically divide the ASA into multiple logical

Fundamentals of PKI Tidbit

I want to touch on some of the fundamentals and standards involved with PKI to give us an overview of what things are/mean. To start let's cover what the standards are. So you have probably seen or