Virtual tunnel interfaces

A virtual tunnel interface is a routable logical interface that

  • does not require static mapping of IPsec sessions to a physical interface

  • associates the IPsec tunnel endpoint with a virtual interface, and

  • supports static and dynamic routing policies.

Virtual tunnel interface capabilities

Cloud-Delivered Firewall Management Center supports VTIs as an alternative to policy-based VPN. VTIs support route-based VPN with IPsec profiles attached to the end of each tunnel. VTIs use static or dynamic routes. The device encrypts or decrypts the traffic from or to the tunnel interface and forwards it according to the routing table. Deployments become easier, and having VTI which supports route-based VPN with dynamic routing protocol also satisfies many requirements of a virtual private cloud. Cloud-Delivered Firewall Management Center enables you to easily migrate from crypto-map based VPN configuration to VTI-based VPN.

You can configure route-based VPN with static or dynamic VTI using the site-to-site VPN wizard. Traffic is encrypted using static route, BGP, OSPFv2/v3, or EIGRP.

You can create a routed security zone, add VTI interfaces to it, and define access control rules for the decrypted traffic control over the VTI tunnel.

There are two types of VTI interfaces: static VTI and dynamic VTI.

You can create VTI-based VPNs between:

  • Two Firewall Threat Defense devices.

  • A Firewall Threat Defense and public cloud.

  • One Firewall Threat Defense and another Firewall Threat Defense with service provider redundancy.

  • A Firewall Threat Defense and any other device with VTI interfaces.

  • A Firewall Threat Defense and another device with policy-based VPN configuration.

For more information, see Static VTI and Dynamic VTI.