VTI is a virtual tunnel interface. You need to define one under the interfaces section giving it an address in a subnet that's not in your LAN. Then you add the interface to the LAN security zone. Lastly, you use the vti config tree under your site to site section instead of the tunnel config tree.
On the other end you do the same thing, giving the vti a different IP in the same subnet as the vti from router one.
That will get the tunnel up. Then you need to define static routes or bring up a routing protocol to actually pass the traffic.
Assuming eth1 is your LAN interface on both ends the internal traffic moves like this:
RouterA LAN 192.168.1.0/24
RouterA eth1 192.168.1.1
RouterA vti0 192.168.255.1
Shared VTI Subnet 192.168.255.0/30
RouterB vti0 192.168.255.2
RouterB eth1 192.168.2.1
RouterB LAN 192.168.2.0/24
RouterA needs a static route to 192.168.2.0/24 via 192.168.255.2
RouterB needs a static route to 192.168.1.0/24 via 192.168.255.1
On the other end you do the same thing, giving the vti a different IP in the same subnet as the vti from router one.
That will get the tunnel up. Then you need to define static routes or bring up a routing protocol to actually pass the traffic.
Assuming eth1 is your LAN interface on both ends the internal traffic moves like this:
RouterA LAN 192.168.1.0/24
RouterA eth1 192.168.1.1
RouterA vti0 192.168.255.1
Shared VTI Subnet 192.168.255.0/30
RouterB vti0 192.168.255.2
RouterB eth1 192.168.2.1
RouterB LAN 192.168.2.0/24
RouterA needs a static route to 192.168.2.0/24 via 192.168.255.2
RouterB needs a static route to 192.168.1.0/24 via 192.168.255.1
