Virtual Tunnel Interface (VTI)

Also known as: VTI

IPsec virtual tunnel interfaces are used for route-based VPNs to provide a routable interface for terminating IPsec tunnels. This is in contrast to Policy Based VPNS which require configuration of explicit access-lists and crypto-maps. The VTI’s on either side of the tunnel allow the use of static routes to send traffic over the VPN tunnel, allowing for more easily failing out of the VPN, routing traffic elsewhere.

As an example, one side of the tunnel might have a VTI IP of and the other (they must be non-overlapping). One can ping or from a side to test connectivity over the tunnel. One can use static routes or dynamic routing protocols to run over the tunnel, such as BGP.