Configuring the IPsec Interface

TNSR supports routed IPsec via the ipipX interface. The number of the ipsec interface corresponds to the index number of the tunnel set previously. For example ipsec tunnel 0 is ipip0, and ipsec tunnel 2 is ipip2.

These IPsec interfaces are used to configure routed IPsec connectivity and they behave like most other interfaces. For example, they can have access lists defined to filter traffic.

The ipipX interface should be configured with an IP address and the peers will have thier own IP address in the same subnet.

For site-to-site IPsec this allows the two endpoints to communicate directly over the IPsec interface and also gives the peer an address through which traffic for other subnets may be routed. When configured in this way, it acts like a directly connected point-to-point link to the peer.

For remote access IPsec the prefix configured on the ipipX interface must be large enough to contain the remote access address pools from which the IPsec daemon dynamically assigns addresses to connecting clients.

IPsec Interface MTU

IPsec adds per-packet overhead which reduces the maximum packet size which can traverse IPsec without fragmentation. Avoiding fragmentation is important to ensure maximum performance and reliability for IPsec traffic. Some platforms have been observed to have issues processing fragmented IPsec traffic, resulting in packet loss or instability.

Given a hardware interface MTU of 1500 bytes an IPsec MTU of 1400 bytes is safe for most environments.

The amount of overhead added by IPsec varies depending on tunnel configuration parameters such as the encryption algorithm, integrity algorithm, and UDP encapsulation. As such, the maximum MTU may be higher than 1400 bytes in some environments, but will require additional testing unique to each tunnel to determine its optimal MTU.

Alternately, full IP reassembly can be enabled on the hardware interface that has the tunnel endpoint address configured to help alleviate fragmentation issues.

IPsec Interface Example

In this example, the ipip0 interface is given an address of 172.32.0.1/30. The remote peer will be 172.32.0.2/30

tnsr(config)# interface ipip0
tnsr(config-interface)# ip address 172.32.0.1/30
tnsr(config-interface)# mtu 1400
tnsr(config-interface)# enable
tnsr(config-interface)# exit