Link Search Menu Expand Document

Virtual Tunnel Interfaces (VTI)

Configuration > Networking > Virtual Tunnel Interfaces (VTI)

Use the Virtual Tunnel Interfaces (VTI) tab to manage VTIs for your appliances. A VTI is a tunneling protocol that does not require a static mapping of IPSec sessions to a physical interface. The tunnel endpoint is associated with a tunnel interface that enables a constant, secure, and stable connection throughout your network. With this feature, you can establish IPSec UDP SD-WAN tunnels nested within third-party IPSec tunnels (“tunnel-in-tunnel”). IPv6 is supported for outer tunnel; inner tunnel mode must be IPSEC_UDP.

NOTE: Tunnel-in-tunnel capabilities require that your appliances are running ECOS 9.5.x.x or later.

  • The table on this tab lists all appliances in your network or those selected in the appliance tree.

  • The columns are populated if a VTI has been set up for the appliance.

  • An appliance will be listed more than once if multiple VTIs have been set up for the appliance.

To create a VTI or modify an existing one for an appliance, click any edit icon associated with the appliance. The VTI dialog box opens.

VTI Dialog Box

The VTI dialog box lists VTIs associated with the appliance if any exist. You can use this dialog box to set up:

  • One or more VTIs for each tunnel interface.

  • IP/Mask aliases for IP/Masks configured for the VTI.

  • Automatic distribution of WAN-side VTIs into BGP.

Use the following procedures to configure a VTI with an associated tunnel in Orchestrator.

Add a VTI

  1. Click Add.

    The Add VTI Interface dialog box opens.

  2. Complete the following fields as appropriate.

    Field Description
    Segment Segment to associate with the VTI. This field is enabled only if Routing Segmentation is enabled.

    Select Default from the drop-down list for the system-supplied default segment or one of the other listed segments, which reflect custom segments defined using Routing Segmentation.
    Interface Identifier of the VTI. For example, to assign vti200 as the identifier, enter 200 in the field.

    NOTE: IDs in the range 20000 to 30000 are reserved for Orchestrator.
    Interface Type Interface type (lan or wan). Select the appropriate type from the drop-down list. The default setting is wan.

    NOTE: The interface type must match the associated passthrough tunnel configuration. If the passthrough tunnel is configured with a WAN-side interface label, select wan. If the passtrough tunnel is configured with a LAN-side interface label, select lan.
    IP/Mask Root IP address and subnet mask of the VTI. If these fields are empty, the default setting of 0.0.0.0/0 is used.
    Admin Select whether the interface is up or down. The default setting is up.
    Status Status of the VTI tunnel.
    IP/Mask Alias Alias IP address and subnet mask of the VTI. To display these fields, click the +IP link. Configuring an IP/Mask alias is optional. The default setting is 0.0.0.0/0. Deleting an IP/Mask alias resets it to the default setting.

    NOTE: This field is displayed only if the appliance is running ECOS 9.5.x.x or later.

    The IP/Mask alias is associated with the IP/Mask configured for the VTI. It assumes the zone of the associated VTI. You can configure any routable address for the IP address alias.

    NOTE: Appliances automatically source SD-WAN tunnel packets from IP address aliases when they are configured. The underlying tunnel will be sourced from the alias IP address.
    Passthrough Tunnel Passthrough tunnel to associate with the VTI. Select the appropriate tunnel from the drop-down list.
    Label Interface label to associate with the VTI. The default setting is NONE. To apply a label to the VTI, select one from the drop-down list. The list includes all LAN or WAN interface labels depending on your selection in the Interface Type field. Labels are defined by using the Interface Labels dialog box.
    (Alias) Label Interface label to associate as an alias with the VTI. When you click the +IP link, the Label field moves from the right of the IP/Mask fields to the right of the IP/Mask Alias fields.

    NOTE: This field and the +IP link are displayed only if the appliance is running ECOS 9.5.x.x or later.

    If you want to apply an alias label to the VTI, select an appropriate label from the drop-down list. The list includes all LAN or WAN interface labels depending on your selection in the Interface Type field. Labels are defined by using the Interface Labels dialog box.

    NOTE: Only one label can be specified for either the IP/Mask or IP/Mask alias (not both). Also, you cannot assign the same label to any other WAN-side interface.
    Auto Distribute Indicates whether the WAN-side VTI will be automatically redistributed into BGP. This feature is enabled by default.

    NOTE: This check box is displayed only if the appliance is running ECOS 9.5.x.x or later. This setting provides a per-VTI exception that ignores the “Automatically advertise local WAN subnets” setting on the Update Segment dialog box accessed from the Routes template. When VTI is provisioned, BGP must advertise WAN-side VTI configurations.
    Zone Firewall zone to associate with the VTI. The drop-down list includes all zones configured in the Firewall Zone Definition dialog box. Select Default for the system-supplied firewall zone.
  3. To change the default NAT setting (Not behind NAT), click the Not behind NAT link.

    NOTE: The NAT-related link is displayed only if the appliance is running ECOS 9.5.x.x or later.

    The NAT Settings dialog box opens.

    1. Select NAT if the appliance is behind a NAT-ed interface or select the last option and enter an IP address to assign a destination IP for tunnels being built from the network to this VTI interface.

    2. Click OK.

  4. On the Add VTI Interface dialog box, click Add.

  5. On the VTI dialog box, click Save.

Edit a VTI

  1. Click the edit icon associated with the VTI you want to modify.

    The Edit VTI Interface dialog box opens.

  2. Complete the fields as appropriate. The fields are described above.

  3. To change the default NAT setting (Not behind NAT), click the NAT-related link.

    NOTE: The NAT-related link is displayed only if the appliance is running ECOS 9.5.x.x or later.

    The NAT Settings dialog box opens.

    1. As appropriate, select Not behind a NAT, NAT, or select the last option and enter an IP address to assign a destination IP for tunnels being built from the network to this VTI interface.

    2. Click OK.

  4. On the Edit VTI Interface dialog box, click Update.

  5. On the VTI dialog box, click Save.

Delete a VTI

To delete a VTI listed in the table, click the corresponding delete icon (X) in the last column.