Vyatta Virtuanl Tunnel Interface for Site to Site IPSec

On By insidepacketIn Vyatta

In the newer version of Vyatta like 6.x, a new Virtuanl Tunnel Interface (VTI) is introduced for Site to Site IPSec.

A virtual tunnel interface provides a termination point for a site-to-site IPsec VPN tunnel and allows it to behave like other routable interfaces. In addition to simplifying the IPsec configuration, it enables many common capabilities to be used because the endpoint is associated with an actual interface.

Traffic being routed to a virtual tunnel interface is encrypted prior to being sent through the tunnel. Traffic arriving from a virtual tunnel interface is decrypted prior to its exposure to the routing system.

The virtual tunnel interface has the following restrictions and limitations:

1. It is only supported with IPv4, and not IPv6.

2. Only unicast and multicast IP traffic is allowed.

3. The Vyatta system uses fwmark in the kernel sk_buff to uniquely identify virtual tunnel interfaces (as well as entities associated with other features). Vyatta uses fwmark greater than or equal to 0x7FFF FFFF for this purpose. If you intend to use fwmark directly for another purpose, you should not use values greater than or equal to 0x7FFF FFFF.

4. Because the virtual tunnel interface and IP-in-IP tunnels use the same IP protocol type, it is not possible to use both of these tunnel types between the same tunnel endpoints.

5. The virtual tunnel interface does not support Time to Live (TTL) and Type of Service (ToS).

6.The IPsec mode must be configured as tunnel. See security vpn ipsec esp-group <name> mode <mode>.

7. Unlike other site-to-site IPsec VPN tunnels, the local and remote proxies are implicitly 0.0.0.0/0 so the remote and local subnets do not need to be specified explicitly.

8. IPSec peer 0.0.0.0 is not supported by VTI, which means VTI cant be used when the IPSec peer is behind of a NAT device.

VTI is highly recommended for Softlayer Vyatta Site to site IPSec due to the flexibility.

Note: not all Vendors IPSec VPN gateways are compatible with Vyatta VTI.

List of VPN device compatible with Vyatta VTI:

Cisco IOS router Virtual Tunnel Interface (VTI)

Vyatta VTI IPSec to Cisco IOS router

Juniper SRX Firewall Route-based VPN

Vyatta VTI IPSec to Juniper SRX Firewall

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s