SVTI

Secure Virtual Tunnel Interfaces are generic virtual interfaces ensuring IPsec transformation. They are used to configure route-based VPNs.

Each SVTI interface has its own SAD and SPD. These interfaces have an SVTI ID parameter to associate them to IPsec SA/SP. This ID must be unique per-VRF.

To configure SVTI, enter the context interface type svti from the VRF in which you plan to define the SVTI interface. The configuration is valid as soon as the SVTI identifier is set.

Here is an example of an SVTI named svti100 with an SVTI identifier 100:

vrouter running vrf main# interface svti svti100
vrouter running svti svti100#! svti-id 100
vrouter running svti svti100# commit

The SVTI interface is configured and ready to be associated to an IKE VPN.

Let’s fetch the state afer committing this configuration:

vrouter running vrf main# interface svti svti100
vrouter running svti svti100# show state
svti svti100
    mtu 1500
    promiscuous false
    enabled true
    ipv6
        address fe80::afb4:e94a:240a:23f3/64
        ..
    svti-id 100
    oper-status UNKNOWN
    counters
        in-octets 0
        in-unicast-pkts 0
        in-discards 0
        in-errors 0
        out-octets 0
        out-unicast-pkts 0
        out-discards 0
        out-errors 0
        ..
    link-interface lo
    ..

The same configuration can be made using this NETCONF XML configuration:

vrouter> show config xml absolute vrf main interface svti svti100
<config xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <interface xmlns="urn:6wind:vrouter/interface">
      <svti xmlns="urn:6wind:vrouter/svti">
        <name>svti100</name>
        <enabled>true</enabled>
        <ipv4>
          <enabled>true</enabled>
        </ipv4>
        <ipv6>
          <enabled>true</enabled>
        </ipv6>
        <svti-id>100</svti-id>
      </svti>
    </interface>
  </vrf>
</config>

Cross-VRF

SVTI interfaces can be used to do cross-VRF; the interface can be located in a VRF and have a different link-VRF where the SA / SP are located.

Here is an example of an SVTI located in vrf2 but with a link-vrf on vrf1:

vrouter running vrf vrf2# interface svti svti100
vrouter running svti svti100#! svti-id 100
vrouter running svti svti100# link-vrf vrf1
vrouter running svti svti100# commit

In this configuration, the clear traffic will be in vrf2 and the encrypted traffic in vrf1.

See also

The command reference for details.