============ Site-to-site ============ .. sidebar:: Contents .. contents:: :depth: 2 :local: Site-to-site VPN configuration provides a way to connect two subnets or peers with each other through an IPsec tunnel. Site-to-site tunnels can be directly configured using *global* IPsec policies or VTI interfaces. Following regular lookups, OSDx checks the security policy database for a matching policy and, if one linked to an IPsec SA is found, then the packet is processed (e.g., it could be encrypted and sent as an ESP packet). Configuration ============= Global VPN IPsec policies ------------------------- The most common and flexible way to configure IPsec policies in OSDx is through global VPN site-to-site instances. This can be configured via the following command: :osdx:cfg:`vpn ipsec site-to-site peer * tunnel *`. :doc:`Here `, you can find different configuration examples. VTI interfaces -------------- There's an alternative that involves the use of vti interfaces. These interfaces simplify the process of creating the *matching policies* by using a different technique called route-based VPN. Here, IPsec processing does not only depend on negotiated policies, but may be controlled by routing packets to a specific interface. In fact, VTI interfaces act like a wrapper around existing IPsec policies. This means you cannot just route arbitrary packets to a VTI interface to get them tunneled, but the IPsec policies set need to match as well. However, it is possible to negotiate 0.0.0.0/0 traffic selectors on both ends to allow the tunneling of any traffic routed via the VTI interface. VTI interfaces can be configured via the following commands: :osdx:cfg:`vpn ipsec site-to-site peer * vti` and :osdx:cfg:`interfaces vti * ipsec *`. :doc:`Here `, you can find different configuration examples. Site-to-site peers ------------------ Regardless of the VPN site-to-site option chosen for the instance, the following parameters need to be configured: * :osdx:cfg:`vpn ipsec site-to-site peer * connection-type *`: indicates how the peer should behave (e.g., if it should trigger the connection or just wait for incoming requests). * :osdx:cfg:`vpn ipsec site-to-site peer * auth-profile *`, :osdx:cfg:`vpn ipsec site-to-site peer * ike-group *` and :osdx:cfg:`vpn ipsec site-to-site peer * default-esp-group *`: indicate the IPsec profiles/group that will be used for the specified peer. :doc:`Here `, you can find more information about IPsec groups/profiles. The *remote end-point* needs to be entered if the peer is configured as ``initiator``. This option can be configured via the following command: :osdx:cfg:`vpn ipsec site-to-site peer * remote-address *`. On the other hand, *local end-point* parameters can be set using the following configuration commands: * :osdx:cfg:`vpn ipsec site-to-site peer * dhcp-interface *`. * :osdx:cfg:`vpn ipsec site-to-site peer * local-address *`. * :osdx:cfg:`vpn ipsec site-to-site peer * local-vrf *`. Finally, the following configuration commands can be used to specify the network prefixes that will be negotiated for each tunnel (note that multiple networks are allowed): * :osdx:cfg:`vpn ipsec site-to-site peer * tunnel * local prefix *`. * :osdx:cfg:`vpn ipsec site-to-site peer * tunnel * remote prefix *`. * :osdx:cfg:`vpn ipsec site-to-site peer * vti local prefix *`. * :osdx:cfg:`vpn ipsec site-to-site peer * vti remote prefix *`. Command summary =============== .. osdx:cmdtree:: cfg vpn ipsec site-to-site