IPsec site-to-site VPN configuration options
Configuration options that Vyatta NOS supports for IPsec site-to-site VPNs.
Policy-based with no associated, visible interface
A policy-based configuration supports the IETF standards for IPsec.
Traffic is directed to a specified VPN tunnel according to a defined policy, and the same policy applies to all the traffic going through that tunnel.
It is relatively easy to deploy and is compatible with other vendor policy-based IPsec VPNs.
This type of configuration is suitable when you do not need to conserve tunnel resources or configure many security policies to filter traffic through the tunnel. For example, it can be used for a VPN to connect a branch office to corporate headquarters.
Virtual Feature Point (VFP) Interfaces
VFP is a new feature of Vyatta NOS. A key benefit of VFP is its flexibility.
VFP can be deployed with a peer that is configured for policy-based IPsec VPN, because its IKE negotiation to establish the IPsec tunnel is indistinguishable from the IKE negotiation used with policy-based IPsec. One peer can use basic policy-based IPsec and the other peer can use the enhanced policy-based IPsec with VFP.
When you use VFP, you can apply interface-dependent features such as network address translation (NAT) and firewalls to packets traversing the IPsec tunnel. Thus, it allows you to take advantage of features available to route-based IPsec VPNs while maintaining compatibility with policy-based IPsec VPNs.
Virtual Tunnel Interfaces (VTI)
A virtual tunnel interface provides a termination point for a site-to-site IPsec VPN tunnel and allows it to behave like other routable interfaces.
It allows you to configure a route-based VPN, not a policy-based VPN.
Like VFP, VTI allows you to apply interface-dependent features.
The IKE negotiation is different than it is without VTI. Therefore, VTI should be applied on both ends of the connection. We do not recommend connecting a VTI peer to a peer that is not using VTI.
VTI is compatible with third party VTI VPN connections and might be required for connectivity with public cloud offerings.
Protected by IPsec: GRE tunnels can be included within IPsec, allowing you to take advantage of the multi-protocol flexibility of GRE while having the encryption protection of IPsec.
Interface-dependent features (such as NAT, uRPF, firewall) can be specified for the GRE tunnel.
This type of configuration requires that both peers are configured for a GRE tunnel protected by IPsec.