Add a VTI Interface

For configuring a route-based site-to-site VPN, you must create a VTI interface on the devices at both the nodes of the VTI tunnel.

When you specify the tunnel type as dynamic and configure the related parameters, the management center generates a dynamic virtual template. The virtual template dynamically generates the virtual access interface that is unique for each VPN session.

Before you begin

Configure a loopback interface for redundancy of static and dynamic VTI VPN tunnels. For more information, see Configure a Loopback Interface.

For a Secure Firewall 3100 or Secure Firewall 4200 device, IPsec flow offload is also used when the device's VTI loopback interface is enabled.

Procedure

Step 1	Choose Devices > Device Management.
Step 2	Click the Edit icon next to the device on which you want to create a VTI interface.
Step 3	Choose Add Interfaces > Virtual Tunnel Interface.
Step 4	Select the Tunnel Type as Static or Dynamic.
Step 5	Enter the name and description for the interface. By default, the interface is enabled. Ensure that you specify a name that is not longer than 28 characters.
Step 6	(Optional) Choose a security zone from the Security Zone drop-down list to add the static VTI or dynamic VTI interface to that zone. If you want to perform traffic inspection based on a security zone, add the VTI interface to the security zone and configure an access control (AC) rule. To permit the VPN traffic over the tunnel, you need to add an AC rule with this security zone as the source zone.
Step 7	Enter the priority to load balance the traffic across multiple VTIs in the Priority field. The range is from 0 to 65535. The lowest number has the highest priority. This option is not applicable for dynamic VTI.
Step 8	Depending on the tunnel type, do one of the following: For a dynamic VTI, enter a unique ID in the range of 1 to 10413 in the Template ID field. For a static VTI, enter a unique tunnel ID in the range of 0 to 10413 in the Tunnel ID field.
Step 9	(Optional for dynamic VTI) Choose the tunnel source interface from the Tunnel Source drop-down list. The VPN tunnel terminates at this interface, a physical or loopback interface. Choose the IP address of the interface from the drop-down list. You can select the IP address irrespective of the IPsec tunnel mode. In case of multiple IPv6 addresses, select the address that you want to use as the tunnel endpoint.
Step 10	Under IPSec Tunnel Mode, click the IPv4 or IPv6 radio button to specify the traffic type over the IPsec tunnel.
Step 11	Under IP Address: Configure IP: Enter the IPv4 or IPv6 address for the static VTI interface. You cannot configure an IP address for a dynamic VTI interface. Use the Borrow IP field for the dynamic VTI interface. Borrow IP (IP unnumbered): Choose a physical or loopback interface from the drop-down list, the VTI interface inherits this IP address. Ensure that you use an IP address different from the tunnel source IP address. You can use this option for a static or dynamic VTI interface. Click + to configure a loopback interface. The loopback interface helps to overcome path failures. If an interface goes down, you can access all interfaces through the IP address assigned to the loopback interface.
Step 12	Click OK.
Step 13	Click Save.