Secure Virtual Tunnel Interfaces (SVTIs)

Overview

Secure Virtual Tunnel Interfaces provide virtual interfaces for IPsec processing:

  • outbound traffic directed to these interfaces is IPsec protected,
  • after IPsec traffic has been received by the stack and decrypted, the resulting clear text traffic can be received via an SVTI interface.

You can use these interfaces as any other virtual interface and set them up and down, use them in routes, assign them a VR or IP addresses, and so on.

SVTIs

In the IPsec context declare your VPN, IPsec rule and SA related to your SVTI.

Then, SVTIs are configured as any virtual interface under the svtiX context:

router{conf:running}svti0

SVTI interfaces can be configured just like any other virtual interface using ipaddress, tunnel etc.

Example

router{conf:myconfig}eth2_0

router{conf:myconfig-eth2_0}ipaddress 10.23.8.108/24
router{conf:myconfig-eth2_0}svti1

router{conf:myconfig-svti1}tunnel 10.23.8.108 10.23.8.208

router{conf:myconfig-svti1}ipaddress 192.168.1.108/24
router{conf:myconfig-svti1}sec

router{conf:myconfig-sec}ipsec enable

router{conf:myconfig-sec}vpn vpn_remote_peer static 10.23.8.108 10.23.8.208 svti svti1

router{conf:myconfig-sec}ipsec-rule vpn_remote_peer_rule1 0.0.0.0/0 0.0.0.0/0 any esp tunnel vpn_remote_peer

router{conf:myconfig-sec}sa esp 10.23.8.108 10.23.8.208 svti svti1 0x1000 tunnel aes-cbc azertyuiopqsdfgh

router{conf:myconfig-sec}sa esp 10.23.8.208 10.23.8.108 svti svti1 0x1100 tunnel aes-cbc azertyuiopqsdfgh

In this configuration, the svti1 interface will be configured on top of eth2_0 to process traffic between 10.23.8.108 and 10.23.8.208.