IPsec Endpoints

Next, the IPsec tunnel needs endpoints. These can be defined two ways: By explicitly configuring an IPIP Tunnel or implicitly by specifying the endpoints from within config-ipsec-tunnel mode:

local-address

Defines the IPv4 or IPv6 address used by TNSR for this tunnel. This address must exist on a TNSR interface.

remote-address

Defines the IPv4 or IPv6 address or fully qualified hostname of the remote peer when configuring a site-to-site IPsec tunnel. The address family must match the address family of the local-address. This directive is omitted for remote access IPsec.

Note

When using a hostname, TNSR must be able to resolve it using DNS in the dataplane namespace when the tunnel is configured. See System DNS Resolution Behavior for information on configuring DNS resolution in namespaces.

Additionally, the strongSwan daemon will resolve the hostname each time an IPsec connection lookup is performed.

These commands can be entered in the IPsec configuration but they create an IPIP tunnel interface in the configuration backend and do not appear in the resulting IPsec configuration data.

IPsec Endpoint Examples

Explicit IPIP Tunnel

When configuring an IPIP tunnel explictly, the IPIP tunnel must be defined before starting the IPsec configuration.

tnsr(config)# tunnel ipip 0
tnsr(config-ipip)# source ipv4 address 203.0.113.2
tnsr(config-ipip)# destination ipv4 address 203.0.113.25
tnsr(config-ipip)# exit

Implicit IPIP Tunnel

Automatically creates a corresponding IPIP tunnel instance from within IPsec configuration mode.

tnsr(config)# ipsec tunnel 0
tnsr(config-ipsec-tunnel)# local-address 203.0.113.2
tnsr(config-ipsec-tunnel)# remote-address 203.0.113.25

Note

These commands have the same net effect as the explicit method in that TNSR creates the same IPIP tunnel configuration either way; TNSR does not store these values in the IPsec configuration. When removing an IPsec tunnel configured in this manner the IPIP tunnel must be deleted manually.

Removing an Endpoint

When removing an IPIP tunnel associated with an IPsec tunnel, the IPsec tunnel must be removed first:

tnsr(config)# no ipsec tunnel 0
tnsr(config)# no int ipip0
tnsr(config)# no tunnel ipip 0

Note

The IPIP tunnel must be removed manually no matter how it was created (either explicitly or implicitly).