Note

SVTI requires an IPsec Application License.

SVTI

Secure Virtual Tunnel Interfaces are generic virtual interfaces ensuring IPsec transformation. They are used to configure route-based VPNs.

Each SVTI interface has its own SAD and SPD.

Unlike other tunnel interfaces, an SVTI interface is not a point-to-point interface between two specific gateways, the encapsulation addresses are determined by the SPs and SAs matched by the traffic.

These interfaces have an SVTI ID parameter to associate them to IPsec SAs/SPs. This ID must be unique per-VRF 1.

To configure SVTI, enter the interface context in the desired VRF and type svti followed by the SVTI interface name. The interface name must start with svti. The configuration is valid as soon as the SVTI identifier is set.

Here is an example of an SVTI named svti100 with an SVTI identifier 100:

vsr running vrf main# interface svti svti100
vsr running svti svti100#! svti-id 100
vsr running svti svti100# commit

The SVTI interface is configured and ready to be associated to an IKE VPN.

Let’s fetch the state after committing this configuration:

vsr running vrf main# interface svti svti100
vsr running svti svti100# show state
svti svti100
    mtu 1500
    promiscuous false
    enabled true
    ipv6
        address fe80::afb4:e94a:240a:23f3/64
        ..
    svti-id 100
    oper-status UNKNOWN
    counters
        in-octets 0
        in-unicast-pkts 0
        in-discards 0
        in-errors 0
        out-octets 0
        out-unicast-pkts 0
        out-discards 0
        out-errors 0
        ..
    link-interface lo
    ..

The same configuration can be made using this NETCONF XML configuration:

vsr> show config xml absolute vrf main interface svti svti100
<config xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <interface xmlns="urn:6wind:vrouter/interface">
      <svti xmlns="urn:6wind:vrouter/svti">
        <name>svti100</name>
        <enabled>true</enabled>
        <ipv4>
          <enabled>true</enabled>
        </ipv4>
        <ipv6>
          <enabled>true</enabled>
        </ipv6>
        <svti-id>100</svti-id>
      </svti>
    </interface>
  </vrf>
</config>

1

To be precise, the (link VRF, SVTI ID) pair must be unique, see paragraph Cross-VRF.

Cross-VRF

Like other tunnel interfaces, an SVTI interface is defined in a VRF and is assigned a possibly different link VRF (the VRF of encapsulated packets). SVTI interfaces can therefore be used to do cross-VRF.

The (link VRF, SVTI ID) pair uniquely identifies an SVTI interface, regardless of the interface VRF.

The SPs, SAs and IKE configuration are located in the SVTI interface link VRF.

Here is an example of an SVTI located in vrf2 but with a link-vrf in vrf1:

vsr running vrf vrf2# interface svti svti100
vsr running svti svti100#! svti-id 100
vsr running svti svti100# link-vrf vrf1
vsr running svti svti100# commit

In this configuration, the clear traffic will be in vrf2 and the encrypted traffic in vrf1.

SVTI templates

SVTI templates are models of SVTI interfaces used for dynamic SVTI interface creation. An IKE VPN may reference an SVTI template, so that an SVTI interface is created for each established IKE SA, and the negotiated SAs and SPs attached to it.

To configure an SVTI template, enter the interface context in the desired VRF and type svti-template followed by the SVTI template name.

Here is an example of an SVTI template named svtitemp100:

vsr running vrf main# interface svti-template svtitemp100
vsr running svti-template svtitemp100# mtu 1300
vsr running svti-template svtitemp100# commit

The dynamically created SVTI interface names will start with dsvti and do not depend on the template name. Their SVTI ID is dynamically chosen by IKE.

See also

The command reference for details.