ipsec site-to-site: Support binding multiple tunnels to one VTI, customizing local and remote traffic selectors
Open, LowPublic
Actions

Assigned To

None

Authored By

	lucasec
	Dec 29 2023, 6:24 AM

Description

Now that we use XFRM under the hood, there is no technical constraint that a single tunnel must map to a single VTI (XFRM) interface. It is perfectly possible to bind multiple tunnels to one interface, either for redundancy or to reduce administrative overhead with several tunnels each configured with non-overlapping traffic selectors.

Scope of work:

Allow the local and remote traffic selectors to be configured when VTI is in use. This may have value on its own, e.g. if users want to change the default of all IPv4 and IPv6 traffic.
Modify ipsec hooks that translate tunnel up/down into interface up/down to logically handle multiple tunnels bound to one interface.

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Unspecified (please specify)

Event Timeline

lucasec created this task.Dec 29 2023, 6:24 AM

lucasec created this object in space S1 VyOS Public.

pasik added a subscriber: pasik.Dec 29 2023, 9:45 AM

dmbaturin edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta.Fri, Apr 12, 2:46 PM

ipsec site-to-site: Support binding multiple tunnels to one VTI, customizing local and remote traffic selectorsOpen, LowPublicActions

Description

Details

Event Timeline

ipsec site-to-site: Support binding multiple tunnels to one VTI, customizing local and remote traffic selectors
Open, LowPublic
Actions