diff --git a/python/vyos/ifconfig/vti.py b/python/vyos/ifconfig/vti.py
index 9ebbeb9ed..9511386f4 100644
--- a/python/vyos/ifconfig/vti.py
+++ b/python/vyos/ifconfig/vti.py
@@ -1,59 +1,65 @@
-# Copyright 2021-2022 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2021-2024 VyOS maintainers and contributors <maintainers@vyos.io>
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # This library is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 # Lesser General Public License for more details.
 #
 # You should have received a copy of the GNU Lesser General Public
 # License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 
 from vyos.ifconfig.interface import Interface
 from vyos.utils.dict import dict_search
 
 @Interface.register
 class VTIIf(Interface):
     iftype = 'vti'
     definition = {
         **Interface.definition,
         **{
             'section': 'vti',
             'prefixes': ['vti', ],
         },
     }
 
     def _create(self):
         # This table represents a mapping from VyOS internal config dict to
         # arguments used by iproute2. For more information please refer to:
         # - https://man7.org/linux/man-pages/man8/ip-link.8.html
         # - https://man7.org/linux/man-pages/man8/ip-tunnel.8.html
         mapping = {
             'source_interface' : 'dev',
         }
         if_id = self.ifname.lstrip('vti')
         # The key defaults to 0 and will match any policies which similarly do
         # not have a lookup key configuration - thus we shift the key by one
         # to also support a vti0 interface
         if_id = str(int(if_id) +1)
         cmd = f'ip link add {self.ifname} type xfrm if_id {if_id}'
         for vyos_key, iproute2_key in mapping.items():
             # dict_search will return an empty dict "{}" for valueless nodes like
             # "parameters.nolearning" - thus we need to test the nodes existence
             # by using isinstance()
             tmp = dict_search(vyos_key, self.config)
             if isinstance(tmp, dict):
                 cmd += f' {iproute2_key}'
             elif tmp != None:
                 cmd += f' {iproute2_key} {tmp}'
 
         self._cmd(cmd.format(**self.config))
+
+        # interface is always A/D down. It needs to be enabled explicitly
         self.set_interface('admin_state', 'down')
 
+    def set_admin_state(self, state):
+        """ Handled outside by /etc/ipsec.d/vti-up-down """
+        pass
+
     def get_mac(self):
         """ Get a synthetic MAC address. """
         return self.get_mac_synthetic()
diff --git a/smoketest/scripts/cli/test_interfaces_vti.py b/smoketest/scripts/cli/test_interfaces_vti.py
index 7f13575a3..871ac650b 100755
--- a/smoketest/scripts/cli/test_interfaces_vti.py
+++ b/smoketest/scripts/cli/test_interfaces_vti.py
@@ -1,31 +1,48 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2023 VyOS maintainers and contributors
+# Copyright (C) 2023-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import unittest
 
 from base_interfaces_test import BasicInterfaceTest
 
+from vyos.ifconfig import Interface
+from vyos.utils.network import is_intf_addr_assigned
+
 class VTIInterfaceTest(BasicInterfaceTest.TestCase):
     @classmethod
     def setUpClass(cls):
         cls._base_path = ['interfaces', 'vti']
         cls._interfaces = ['vti10', 'vti20', 'vti30']
 
         # call base-classes classmethod
         super(VTIInterfaceTest, cls).setUpClass()
 
+    def test_add_single_ip_address(self):
+        addr = '192.0.2.0/31'
+        for intf in self._interfaces:
+            self.cli_set(self._base_path + [intf, 'address', addr])
+            for option in self._options.get(intf, []):
+                self.cli_set(self._base_path + [intf] + option.split())
+
+        self.cli_commit()
+
+        # VTI interface are always down and only brought up by IPSec
+        for intf in self._interfaces:
+            self.assertTrue(is_intf_addr_assigned(intf, addr))
+            self.assertEqual(Interface(intf).get_admin_state(), 'down')
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down
index 441b316c2..01e9543c9 100755
--- a/src/etc/ipsec.d/vti-up-down
+++ b/src/etc/ipsec.d/vti-up-down
@@ -1,64 +1,66 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2023 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # Script called up strongswan to bring the VTI interface up/down based on
 # the state of the IPSec tunnel. Called as vti_up_down vti_intf_name
 
 import os
 import sys
 
 from syslog import syslog
 from syslog import openlog
 from syslog import LOG_PID
 from syslog import LOG_INFO
 
 from vyos.configquery import ConfigTreeQuery
 from vyos.configdict import get_interface_dict
 from vyos.ifconfig import VTIIf
 from vyos.utils.process import call
 from vyos.utils.network import get_interface_config
 
 if __name__ == '__main__':
     verb = os.getenv('PLUTO_VERB')
     connection = os.getenv('PLUTO_CONNECTION')
     interface = sys.argv[1]
 
     openlog(ident=f'vti-up-down', logoption=LOG_PID, facility=LOG_INFO)
     syslog(f'Interface {interface} {verb} {connection}')
 
     if verb in ['up-client', 'up-host']:
         call('sudo ip route delete default table 220')
 
     vti_link = get_interface_config(interface)
 
     if not vti_link:
         syslog(f'Interface {interface} not found')
         sys.exit(0)
 
     vti_link_up = (vti_link['operstate'] != 'DOWN' if 'operstate' in vti_link else False)
 
     if verb in ['up-client', 'up-host']:
         if not vti_link_up:
             conf = ConfigTreeQuery()
             _, vti = get_interface_dict(conf.config, ['interfaces', 'vti'], interface)
             if 'disable' not in vti:
                 tmp = VTIIf(interface)
                 tmp.update(vti)
+                call(f'sudo ip link set {interface} up')
             else:
+                call(f'sudo ip link set {interface} down')
                 syslog(f'Interface {interface} is admin down ...')
     elif verb in ['down-client', 'down-host']:
         if vti_link_up:
             call(f'sudo ip link set {interface} down')