Configuring the IPsec Interface¶
TNSR supports routed IPsec via the
ipipX interface. The number of the
ipsec interface corresponds to the index number of the tunnel set
previously. For example
ipsec tunnel 0 is
ipsec tunnel 2
These IPsec interfaces are used to configure routed IPsec connectivity and they behave like most other interfaces. For example, they can have access lists defined to filter traffic.
ipipX interface should be configured with an IP address and the peer
will have its own IP address in the same subnet. This allows the two endpoints
to communicate directly over the IPsec interface and also gives the peer an
address through which traffic for other subnets may be routed. When configured
in this way, it acts like a directly connected point-to-point link to the peer.
IPsec Interface MTU¶
IPsec adds per-packet overhead which reduces the maximum packet size which can traverse IPsec without fragmentation. Avoiding fragmentation is important to ensure maximum performance and reliability for IPsec traffic. Some platforms have been observed to have issues processing fragmented IPsec traffic, resulting in packet loss or instability.
Given a hardware interface MTU of
1500 bytes an IPsec MTU of
is safe for most environments.
The amount of overhead added by IPsec varies depending on tunnel configuration
parameters such as the encryption algorithm, integrity algorithm, and UDP
encapsulation. As such, the maximum MTU may be higher than
1400 bytes in
some environments, but will require additional testing unique to each tunnel to
determine its optimal MTU.
Alternately, full IP reassembly can be enabled on the hardware interface that has the tunnel endpoint address configured to help alleviate fragmentation issues.
IPsec Interface Example¶
In this example, the
ipip0 interface is given an address of
18.104.22.168/30. The remote peer will be
tnsr(config)# interface ipip0 tnsr(config-interface)# ip address 22.214.171.124/30 tnsr(config-interface)# mtu 1400 tnsr(config-interface)# enable tnsr(config-interface)# exit