Site-to-site

Site-to-site VPN configuration provides a way to connect two subnets or peers with each other through an IPsec tunnel. Site-to-site tunnels can be directly configured using global IPsec policies or VTI interfaces.

Following regular lookups, OSDx checks the security policy database for a matching policy and, if one linked to an IPsec SA is found, then the packet is processed (e.g., it could be encrypted and sent as an ESP packet).

Configuration

Global VPN IPsec policies

The most common and flexible way to configure IPsec policies in OSDx is through global VPN site-to-site instances. This can be configured via the following command: vpn ipsec site-to-site peer <id> tunnel <u32>. Here, you can find different configuration examples.

VTI interfaces

There’s an alternative that involves the use of vti interfaces. These interfaces simplify the process of creating the matching policies by using a different technique called route-based VPN. Here, IPsec processing does not only depend on negotiated policies, but may be controlled by routing packets to a specific interface.

In fact, VTI interfaces act like a wrapper around existing IPsec policies. This means you cannot just route arbitrary packets to a VTI interface to get them tunneled, but the IPsec policies set need to match as well. However, it is possible to negotiate 0.0.0.0/0 traffic selectors on both ends to allow the tunneling of any traffic routed via the VTI interface.

VTI interfaces can be configured via the following commands: vpn ipsec site-to-site peer <id> vti and interfaces vti <txt> ipsec <id>. Here, you can find different configuration examples.

XFRM interfaces

XFRM (Transform Module) interfaces are a modern Linux kernel feature designed to simplify route-based VPN configurations by decoupling IPsec processing from traditional policy-based mechanisms. They offer significant advantages over VTI devices:

  • No Tunnel Endpoints Required: Unlike VTI devices, XFRM interfaces do not require explicit tunnel endpoint addresses, enabling flexibility in configurations.

  • Multi-Protocol Support: IPv4 and IPv6 traffic can coexist on the same interface, eliminating the need for separate devices per address family.

  • Support for All IPsec Modes: XFRM interfaces work with tunnel, transport, unlike VTIs, which are limited to tunnel mode. (tunnel mode is the only mode supported by OSDx).

  • Dynamic Identifier Linking: Policies and SAs are linked via an if_id (interface ID), allowing traffic routing decisions to be based on this identifier rather than complex mark configurations.

Creating XFRM interfaces

XFRM interfaces are created using the interfaces xfrm command. The ID (if_id`) of the interface is specified with its own name such as xfrm1. And the XFRM interfaces suport the most of the features like any other interfaces, like traffic policies, offload, netflow, etc.

The XFRM interfaces are created using the following command: interfaces xfrm <txt>

Configuring XFRM interfaces

XFRM interfaces can be integrated with site-to-site peers using the following commands:

You can find some examples of XFRM interface configurated with site-to-site peers in the following link: Here.

Site-to-site peers

Regardless of the VPN site-to-site option chosen for the instance, the following parameters need to be configured:

The remote end-point needs to be entered if the peer is configured as initiator. This option can be configured via the following command: vpn ipsec site-to-site peer <id> remote-address <ipv4|ipv6|fqdn|id>.

On the other hand, local end-point parameters can be set using the following configuration commands:

Finally, the following configuration commands can be used to specify the network prefixes that will be negotiated for each tunnel (note that multiple networks are allowed):

Command summary

Configuration commands