17.1.5. IPSec Route Based (VTI/XFRM)ΒΆ

In VT AIR it is possible to configure route-based VPNs. Here IPSec processing does not (only) depend on negotiated policies but may e.g. be controlled by routing packets to a specific IPSec interface.

You can create an Interface out of the IPSec Tunnel, which is often referred to as VTI or the newer term XFRM Interface. The advantage of the Interface is that static routes defined on the interface are automatically deleted, when the interface goes down. The Interfaces up and down status is tied to the phase 1 beeing up or down.

The interface does not change the IPSec traffic, therefore the other end of the tunnel does not need any knowledge of it. The Route Based IPSec can also be configured on one end only.

It allows for failover setups where multiple IPSec Tunnels carry the same routes but with different metrics. You can set the Interface to enabled in the Phase 1 settings. The Phase 2 can have any network or networks defined.

You need to manually create routes Routes from the Phase 2 to enter the interface. You can also set an IP Address on the interface settings Configure Interfaces.

The interface works as any other interface and can have firewall and NAT rules, as well as services running on it. It allows for DNAT/SNAT before the tunnel.

Another advantage of this approach is that the MTU can be specified for the IPSec innterface allowing to fragment packets before tunneling them.