Site-to-site
Site-to-site VPN configuration provides a way to connect two subnets or peers with each other through an IPsec tunnel. Site-to-site tunnels can be directly configured by using global IPsec policies or by using VTI interfaces.
After regular lookups are done, OSDx consults the security policy database for a matching policy and if one is found and it is associated with an IPsec SA, then the packet is processed (e.g., it could be encrypted and sent as ESP packet).
Configuration
Global VPN IPsec policies
The most common and flexible way to configure IPsec policies in OSDx is through
global VPN site-to-site instances. This can be configured by using the following
command: vpn ipsec site-to-site peer <id> tunnel <u32>.
Here, you can find different
configuration examples.
VTI interfaces
There’s an alternative that involves the use of vti interfaces. These interfaces simplify the process of creating the matching policies by using a different technique called route-based VPN. Here, IPsec processing does not only depend on negotiated policies, but may be controlled by routing packets to a specific interface.
In fact, VTI interfaces act like a wrapper around existing IPsec policies. This means you can not just route arbitrary packets to a VTI interface to get them tunneled, the established IPsec policies have to match, too. However, it is possible to negotiate 0.0.0.0/0 traffic selectors on both ends to allow tunneling any traffic that is routed via the VTI interface.
VTI interfaces can be configured by using the following commands:
vpn ipsec site-to-site peer <id> vti and
interfaces vti <txt> ipsec <id>.
Here, you can find different
configuration examples.
Site-to-site peers
Regardless of the VPN site-to-site option chosen for the instance, the following parameters need to be configured:
vpn ipsec site-to-site peer <id> connection-type <id>: indicates how the peer should behave (e.g., if it should initiate the connection or just wait for incoming requests).
vpn ipsec site-to-site peer <id> auth-profile <id>,vpn ipsec site-to-site peer <id> ike-group <id>andvpn ipsec site-to-site peer <id> default-esp-group <id>: indicate the IPsec profiles/group that will be used for the specified peer. Here, you can find more information about IPsec groups/profiles.
The remote end-point needs to be set if the peer is configured as initiator.
This option can be configured with the following command:
vpn ipsec site-to-site peer <id> remote-address <ipv4|ipv6|fqdn|id>.
On the other hand, the local end-point parameters can be set by using the following configuration commands:
Finally, the following configuration commands can be used to specify the network prefixes that will be negotiated for each tunnel (note that multiple networks are allowed):
Command summary
Configuration commands
vpn ipsec site-to-site peer <id> local-address <ipv4|ipv6|fqdn|id>vpn ipsec site-to-site peer <id> remote-address <ipv4|ipv6|fqdn|id>vpn ipsec site-to-site peer <id> tunnel <u32> esp-group <id>vpn ipsec site-to-site peer <id> tunnel <u32> local port <u32>vpn ipsec site-to-site peer <id> tunnel <u32> local prefix <ipv4net|ipv6net>vpn ipsec site-to-site peer <id> tunnel <u32> local-interface <ifc>vpn ipsec site-to-site peer <id> tunnel <u32> local-vrf <id>vpn ipsec site-to-site peer <id> tunnel <u32> protocol <u32|id>vpn ipsec site-to-site peer <id> tunnel <u32> remote port <u32>vpn ipsec site-to-site peer <id> tunnel <u32> remote prefix <ipv4net|ipv6net>vpn ipsec site-to-site peer <id> vti local prefix <ipv4net|ipv6net>vpn ipsec site-to-site peer <id> vti remote prefix <ipv4net|ipv6net>