Note
SVTI requires an IPsec Application License.
SVTI¶
Secure Virtual Tunnel Interfaces are generic virtual interfaces ensuring IPsec transformation. They are used to configure route-based VPNs.
Each SVTI interface has its own SAD and SPD.
Unlike other tunnel interfaces, an SVTI interface is not a point-to-point interface between two specific gateways, the encapsulation addresses are determined by the SPs and SAs matched by the traffic.
These interfaces have an SVTI ID parameter to associate them to IPsec SAs/SPs. This ID must be unique per-VRF 1.
To configure SVTI, enter the interface context in the desired VRF
and type svti followed by the SVTI interface name. The interface name must
start with svti. The configuration is valid as soon as the SVTI identifier
is set.
Here is an example of an SVTI named svti100 with an SVTI identifier 100:
vsr running vrf main# interface svti svti100
vsr running svti svti100#! svti-id 100
vsr running svti svti100# commit
The SVTI interface is configured and ready to be associated to an IKE VPN.
Let’s fetch the state after committing this configuration:
vsr running vrf main# interface svti svti100
vsr running svti svti100# show state
svti svti100
mtu 1500
promiscuous false
enabled true
ipv6
address fe80::afb4:e94a:240a:23f3/64
..
svti-id 100
oper-status UNKNOWN
counters
in-octets 0
in-unicast-pkts 0
in-discards 0
in-errors 0
out-octets 0
out-unicast-pkts 0
out-discards 0
out-errors 0
..
link-interface lo
..
The same configuration can be made using this NETCONF XML configuration:
vsr> show config xml absolute vrf main interface svti svti100
<config xmlns="urn:6wind:vrouter">
<vrf>
<name>main</name>
<interface xmlns="urn:6wind:vrouter/interface">
<svti xmlns="urn:6wind:vrouter/svti">
<name>svti100</name>
<enabled>true</enabled>
<ipv4>
<enabled>true</enabled>
</ipv4>
<ipv6>
<enabled>true</enabled>
</ipv6>
<svti-id>100</svti-id>
</svti>
</interface>
</vrf>
</config>
- 1
To be precise, the (link VRF, SVTI ID) pair must be unique, see paragraph Cross-VRF.
Cross-VRF¶
Like other tunnel interfaces, an SVTI interface is defined in a VRF and is assigned a possibly different link VRF (the VRF of encapsulated packets). SVTI interfaces can therefore be used to do cross-VRF.
The (link VRF, SVTI ID) pair uniquely identifies an SVTI interface, regardless of the interface VRF.
The SPs, SAs and IKE configuration are located in the SVTI interface link VRF.
Here is an example of an SVTI located in vrf2 but with a link-vrf in
vrf1:
vsr running vrf vrf2# interface svti svti100
vsr running svti svti100#! svti-id 100
vsr running svti svti100# link-vrf vrf1
vsr running svti svti100# commit
In this configuration, the clear traffic will be in vrf2 and the encrypted traffic in vrf1.
SVTI templates¶
SVTI templates are models of SVTI interfaces used for dynamic SVTI interface creation. An IKE VPN may reference an SVTI template, so that an SVTI interface is created for each established IKE SA, and the negotiated SAs and SPs attached to it.
To configure an SVTI template, enter the interface context in the desired
VRF and type svti-template followed by the SVTI template name.
Here is an example of an SVTI template named svtitemp100:
vsr running vrf main# interface svti-template svtitemp100
vsr running svti-template svtitemp100# mtu 1300
vsr running svti-template svtitemp100# commit
The dynamically created SVTI interface names will start with dsvti and do
not depend on the template name. Their SVTI ID is dynamically chosen by IKE.
See also
The command reference for details.