Tip
This is the documentation for the 23.11 version. Looking for the documentation of the latest version? Have a look here.
IPsec Endpoints¶
Next, the IPsec tunnel needs endpoints. These can be defined two ways: By
explicitly configuring an IPIP Tunnel or
implicitly by specifying the endpoints from within config-ipsec-tunnel
mode:
- local-address:
Defines the IPv4 or IPv6 address used by TNSR for this tunnel. This address must exist on a TNSR interface.
- remote-address:
Defines the IPv4 or IPv6 address or fully qualified hostname of the remote peer when configuring a site-to-site IPsec tunnel. The address family must match the address family of the
local-address
. This directive is omitted for remote access IPsec.Note
When using a hostname, TNSR must be able to resolve it using DNS in the
dataplane
namespace when the tunnel is configured. See System DNS Resolution Behavior for information on configuring DNS resolution in namespaces.Additionally, the strongSwan daemon will resolve the hostname each time an IPsec connection lookup is performed.
These commands can be entered in the IPsec configuration but they create an IPIP tunnel interface in the configuration backend and do not appear in the resulting IPsec configuration data.
IPsec Endpoint Examples¶
Explicit IPIP Tunnel¶
When configuring an IPIP tunnel explictly, the IPIP tunnel must be defined before starting the IPsec configuration.
tnsr(config)# tunnel ipip 0
tnsr(config-ipip)# source ipv4 address 203.0.113.2
tnsr(config-ipip)# destination ipv4 address 203.0.113.25
tnsr(config-ipip)# exit
Implicit IPIP Tunnel¶
Automatically creates a corresponding IPIP tunnel instance from within IPsec configuration mode.
tnsr(config)# ipsec tunnel 0
tnsr(config-ipsec-tunnel)# local-address 203.0.113.2
tnsr(config-ipsec-tunnel)# remote-address 203.0.113.25
Note
These commands have the same net effect as the explicit method in that TNSR creates the same IPIP tunnel configuration either way; TNSR does not store these values in the IPsec configuration. When removing an IPsec tunnel configured in this manner the IPIP tunnel must be deleted manually.
Removing an Endpoint¶
When removing an IPIP tunnel associated with an IPsec tunnel, the IPsec tunnel must be removed first:
tnsr(config)# no ipsec tunnel 0
tnsr(config)# no int ipip0
tnsr(config)# no tunnel ipip 0
Note
The IPIP tunnel must be removed manually no matter how it was created (either explicitly or implicitly).