Tired of old crypto maps? ios-xe 16.12 has something for you, then.
This nifty little feature works just like crypto maps behind the scenes, but logically it’s a tunnel. All you need to do is create a tunnel with ip unnamed and add: tunnel protection policy ipv4 <crypto ACL name>:
interface Tunnel0 ip unnumbered GigabitEthernet0/0/0 tunnel source GigabitEthernet0/0/0 tunnel mode ipsec ipv4 tunnel destination 192.0.2.2 tunnel protection ipsec policy ipv4 CACL tunnel protection ipsec profile PROF
Isn’t this just great?
I’ve tested this feature on 16.12.3 and it seems fine. So you can have a crypto map (your old VPN connections) on your outside interface and, slowly but surely, you can delete all your crypto map entries one by one, transforming them into new VTI tunnels.
One immediate benefit I can think of is the possibility to have QoS on your tunnels, plus you no longer have to deal with the fact that your tunnels are traffic-triggered. You don’t have to wait for your business partner to say: hey tunnel isn’t working, because you will see it in the status of your tunnels so you can monitor them with SNMP. How cool is that.
For now i’ve tested this on my CSR1000v in GNS3. Hopefully I’ll be able to convince someone at work to allow an upgrade on my ASRs so that I can see how this works in production.
I’ll try to see if this also works with DVTIs (virtual templates etc.).