SVTIs & DVTIs Tidbit

For this tidbit I want to define what SVTIs & DVTIs are, what they do, & when to use one versus the other.

So to start, a VTI is a virtual tunnel interface that are used in IPsec configurations. The use of IPsec VTIs provides the ability to simplify configuration when you need to provide protection for remote access. These types of interfaces allow you to uniquely configure virtual interfaces with custom configuration. One of the main benefits of an IPsec VTI is that the configuration can be unique & we no longer have to statically map an IPsec session to a physical interface. There are two types of VTIs so let's discuss what they are & when to use them:

Static (SVTI) = tunnels used in site-to-site IPsec connections & are often referred to as "always-on".

Dynamic (DVTI) = tunnels provide on-demand unique virtual interfaces for each VPN SA. Configuration for DVTIs is mirrored from a virtual template. We often use these for hub & spoke topologies. However, DVTIs can also support several SVTIs. These VTIs are deleted when both IKE & IPsec SAs to the respective peer are terminated.

Lastly, here are some notable IPsec VTI restrictions:

  • Fragmentation is not supported over IPsec tunnel.

  • IPsec transform set must be configured in tunnel mode only.

  • IKE SAs are bound to the respective VTI

  • IPsec SA traffic selectors support only one IPsec SA that gets attached to the VTI interface

To see more about SVTIs & DVTIs check out the other VPN related posts. Cheers!


Recent Posts

See All

Email Security - S/MIME Tidbit

So it has definitely been a minute since I produced a tidbit. Lately I have been investing personal time into email security. The topics that I have covered thus far are in no particular order, but

November 21 Update Tidbit

Sharing some quick personal news as well as an update with where my head is currently at. I recently invested most of my time with VPNs the last couple of months. So I finally decided to take a stab

Personal Tidbit - Oct 2021

Sharing some exciting news. I recently participated in a Cisco Championship Content competition, & actually claimed first place! Pretty excited to receive the news since I frequently spend time on Ci