IPsec Tunnel

IPsec tunnel is supported only on 10000 switch series.

An IPsec tunnel is a secure tunneling protocol that creates virtual point-to-point links over an IP network. IPsec provides secure communication over a network by encrypting packets. It encapsulates the entire IP packet and adds an outer IP header.

IPsec tunneling protocol

IPsec creates a virtual point-to-point link between two devices by encrypting and encapsulating various protocols within an IP network. For example, the following diagram shows an IPsec tunnel created between Switch 1 and Switch 2. Even if Network 1 and Network 2 are separated by multiple network devices, IPsec creates a virtual point-to-point link that makes it appear as if they are directly connected to each other. When a packet is sent from Network 1 to Network 2 (and vice versa), it is transmitted through various network devices in between, as indicated by the cloud. However, since the packets are encrypted and encapsulated, the intermediate network devices are unaware of Network 1 and Network 2.

Figure 1  IPSec tunnel between two networks

+---------+ +----------+ +---------+ | | | | | | Network 1 ------|Switch 1 | ---- | Internet | ---- |Switch 2 | ----- Network 2 | | | | | | +---------+ +----------+ +---------+

To establish an IPsec tunnel, you need to configure Pensando Policy and Services Manager (PSM). For complete information on the Pensando Policy and Services Manager, refer to the Pensando Policy and Services Manager for Distributed Services Switches: User Guide.

IPsec tunnels can only be established if the switch is running with either the L3-core or spine profiles. If you are using the L3-agg or leaf profiles, IPsec tunnels are not supported.

IPsec Tunnel encapsulation and decapsulation

The following diagram shows the example of an IPsec encapsulated packet:

Figure 2   IPsec encapsulated packet

+-------------+-----------------+-----------------+------------+ | New Header | ESP | Original packet | Original | | (IPv4) | (IPsec Header) | header (IPv4) | Payload | +------------+-----------------+-----------------+----------+

When a packet is sent from switch 1 to switch 2 using an IPsec tunnel between two networks:

  1. Switch 1 receives an incoming packets from Network 1.
  2. If the packet is not intended for the switch (destination MAC), it will be forwarded.
  3. If the switch receives the packet, it will check the destination IP address to determine whether the packet needs to be processed by the CPU or forwarded using the next-hop in the routing table.
  4. Once the switch receives the next-hop information, it encrypts and encapsulates the packet if the egress interface is a tunnel interface, and then sends it to the next-hop.
  5. Once the packet is routed in the network and received by switch 2, the packet is decrypted and decapsulated.
  6. The inner packet (actual payload) will be routed to Network 2.

BGP over an IPsec tunnel interface

BGP over an IPsec tunnel can be configured by defining the BGP peer as the IPsec tunnel overlay IP. The IP address of an IPsec interface is reachable over the IPsec tunnel. For more information, see the Configuring BGP over an IPSec tunnel interface section in the IP Routing Guide.

Limitations

  • IPsec tunnels must not be configured under the default VRF. Since the Distributed Service Module (DSM) to IPsec tunnel is a VRF-based mapping, tunnels need to be configured under a non-default VRF only.
  • IPsec tunnels are not supported with ROP or loopback as an underlay.
  • IPsec tunnels are supported with only SVI as an underlay, and the source IP of the tunnel must be derived from the underlay SVI.
  • IPSec tunnels exceeding 1024 per VRF will be dropped.

Unsupported features

  • IPsec tunnel endpoint as ipv6
  • TTL on IPsec tunnel
  • VRF change or delete on IPsec tunnel
  • Source IP change or delete on IPsec tunnel
  • Destination IP change or delete on IPsec tunnel
  • IPVRL on IPsec tunnels with a static route
  • Underlay on different VRF
  • ECMP of IPsec tunnels in the route
  • Multicast over IPsec tunnel
  • ACL on IPsec tunnels
  • IPsec over L3 Tunnels ( GRE/6in4/6in6)
  • ACL/PBR on VXLAN tunnels which will be sent over IPsec
  • L3-agg and leaf profiles
  • BGP over IPSec is not supported in IPSec Active-Standby mode
  • Dynamic BGP peering is not supported over IPsec.
  • BGP-peer Groups are not supported over IPsec.
  • Route Reflectors are not supported.
  • IP unnumbered IP as BGP source IP is not supported.
  • Routes exceeding 1024 IPsec routes per VRF will be dropped. The ordering of preferred routes cannot be guaranteed when more routes are learned than supported.
  • Backup routing between Static and BGP for the same prefix is not supported.
  • BFD failover for IPSec BGP is not supported.