Site-to-site
Site-to-site VPN configuration provides a way to connect two subnets or peers with each other through an IPsec tunnel. Site-to-site tunnels can be directly configured using global IPsec policies or VTI interfaces.
Following regular lookups, OSDx checks the security policy database for a matching policy and, if one linked to an IPsec SA is found, then the packet is processed (e.g., it could be encrypted and sent as an ESP packet).
Configuration
Global VPN IPsec policies
The most common and flexible way to configure IPsec policies in OSDx is through
global VPN site-to-site instances. This can be configured via the following
command: vpn ipsec site-to-site peer <id> tunnel <u32>.
Here, you can find different
configuration examples.
VTI interfaces
There’s an alternative that involves the use of vti interfaces. These interfaces simplify the process of creating the matching policies by using a different technique called route-based VPN. Here, IPsec processing does not only depend on negotiated policies, but may be controlled by routing packets to a specific interface.
In fact, VTI interfaces act like a wrapper around existing IPsec policies. This means you cannot just route arbitrary packets to a VTI interface to get them tunneled, but the IPsec policies set need to match as well. However, it is possible to negotiate 0.0.0.0/0 traffic selectors on both ends to allow the tunneling of any traffic routed via the VTI interface.
VTI interfaces can be configured via the following commands:
vpn ipsec site-to-site peer <id> vti and
interfaces vti <txt> ipsec <id>.
Here, you can find different
configuration examples.
Site-to-site peers
Regardless of the VPN site-to-site option chosen for the instance, the following parameters need to be configured:
vpn ipsec site-to-site peer <id> connection-type <id>: indicates how the peer should behave (e.g., if it should trigger the connection or just wait for incoming requests).
vpn ipsec site-to-site peer <id> auth-profile <id>,vpn ipsec site-to-site peer <id> ike-group <id>andvpn ipsec site-to-site peer <id> default-esp-group <id>: indicate the IPsec profiles/group that will be used for the specified peer. Here, you can find more information about IPsec groups/profiles.
The remote end-point needs to be entered if the peer is configured as initiator.
This option can be configured via the following command:
vpn ipsec site-to-site peer <id> remote-address <ipv4|ipv6|fqdn|id>.
On the other hand, local end-point parameters can be set using the following configuration commands:
Finally, the following configuration commands can be used to specify the network prefixes that will be negotiated for each tunnel (note that multiple networks are allowed):
Command summary
Configuration commands
vpn ipsec site-to-site peer <id> install-vips address <ipv4>vpn ipsec site-to-site peer <id> install-vips interface <ifc>vpn ipsec site-to-site peer <id> local-address <ipv4|ipv6|fqdn|id>vpn ipsec site-to-site peer <id> remote-address <ipv4|ipv6|fqdn|id>vpn ipsec site-to-site peer <id> tunnel <u32> esp-group <id>vpn ipsec site-to-site peer <id> tunnel <u32> install-routes <id>vpn ipsec site-to-site peer <id> tunnel <u32> local port <u32>vpn ipsec site-to-site peer <id> tunnel <u32> local prefix <ipv4net|ipv6net>vpn ipsec site-to-site peer <id> tunnel <u32> local-interface <ifc>vpn ipsec site-to-site peer <id> tunnel <u32> local-vrf <id>vpn ipsec site-to-site peer <id> tunnel <u32> protocol <u32|id>vpn ipsec site-to-site peer <id> tunnel <u32> remote port <u32>vpn ipsec site-to-site peer <id> tunnel <u32> remote prefix <ipv4net|ipv6net>vpn ipsec site-to-site peer <id> vti local prefix <ipv4net|ipv6net>vpn ipsec site-to-site peer <id> vti remote prefix <ipv4net|ipv6net>