Using tunnels to extend IPsec capability
An IPsec policy-based tunnel cannot directly route non-IP or multicast protocols. IPsec also has limitations from an operations point of view.
Using tunnel interfaces with IPsec VPN provides secure, routable tunnel connections between gateways. These tunnels have some advantages over traditional IPsec policy-based tunnel mode connections.
- They support standard operational commands, such as show interfaces and show route.
- They support operational tools, such as traceroute and SNMP.
- They provide dynamic tunnel failover by using routing protocols.
- They simplify IPsec policies and troubleshooting.
IPsec is explained in detail in Ciena Vyatta Network OS IPsec Site-to-Site VPN Configuration Guide. See that guide for more information.
The use of tunnel interfaces with IPsec is documented in the following standard, which describes the use of IP-in-IP tunnels that is combined with IPsec transport mode encryption to provide secure routable tunnels:
- RFC 3884: Use of IPsec Transport Mode for Dynamic Routing
Another method of providing a secure routable interface is to use a Virtual Tunnel Interface (VTI). Refer to Ciena Vyatta Network OS IPsec Site-to-Site VPN Configuration Guide for more information.