Overview

Fast Path IPsec SVTI - VTI provides SVTI support in the fast path.

SVTI interfaces are logical point-to-point network interfaces, that perform IP-in-IPsec tunneling between 2 IPsec gateways.

SVTI interfaces handle their own SPD. Traffic routed through an SVTI interface is automatically submitted to a security policy check against the SVTI interface’s own SPD and, when a matching SP is found, encrypted using an SA matching the SP.

Incoming IPsec-encrypted traffic matching the tunnel endpoints of an SVTI interface is first decrypted with the right SA, then submitted to a security policy check against the SVTI interface’s own SPD. If the packet is granted access, the decrypted traffic is received via the SVTI interface.

Features

• IPsec security policy check against the: SVTI interface’s SPD for outbound traffic routed via an SVTI interface.

• IPsec security policy check against the SVTI interface’s SPD for inbound IPsec decrypted packets whose IPsec outer headers match an SVTI’s tunnel parameters.

• Compatibility with VRF processing (the encrypted and plaintext traffic may be in a VR other than vrf0).

• Cross-VRF processing (the encrypted and plaintext traffic may be in different VRs, the SVTI interface performs the VR transition).

Dependencies

6WINDGate modules

• Fast Path IPsec IPv4

• optionally Fast Path IPsec IPv6