A secured interface secures traffic forwarded through a specified IP interface, through one or multiple Secure Interface Tunnels (SI Tunnels) configured under the interface. SI tunnel is conceptually the same as traditional static IPsec tunnels. Some differences are:
SI tunnels are configured under an IP interface, while static IPsec tunnels are configured under the private tunnel SAP of a tunnel interface.
With an SI tunnel, the following objects are created automatically with an SI tunnel configuration. There is no need for a separate configuration tunnel configuration:
public tunnel SAP
public interface
private tunnel SAP
private tunnel interface
The public service of SI tunnel is the same service of secured interface, which could be either Base router, an IES or an VPRN service.
The local tunnel address of the SI tunnel must be one of interface addresses of the secure interface. If the secure interface is unnumbered, then it must be one of the interface address of the interface specified by the unnumbered configuration.
Private service is the same as the public service. The user could also specify a different service.
On the public side:
With a secured interface, by default, all traffic ingress the interface are subject to IPsec processing. If the received traffic is not IPsec traffic (such as ESP and IKE), it is dropped. This behavior can be changed by configuring an ip-exception or ipv6-exception filter under the interface. All ingress traffic matching the ip-exception or ipv6-exception filter bypasses IPsec processing and is forwarded through normal routing methods.
The system forwards all SI tunnel traffic (after encryption and encapsulation) out through the corresponding secured interface.
SSH traffic toward the local system and MPLS/SDP always bypasses IPsec processing.
On the private side:
Like a static IPsec tunnel, traffic is routed into the SI tunnel through a static route or BGP route.
When an SI tunnel is operationally down, routes using the next-hop address as the tunnel are unresolved and withdrawn from the route table.
show, debug, tool, clear, and admin commands that apply to static IPsec tunnels also apply to SI tunnels.
The following features are not supported with SI tunnels on 7705 SAR-Hm (with cellular exit port):
Dest-ip
MC-IPsec
IPv4 over IPv6
IPv6 over IPv6
MLDv2 over SI tunnel
The following features are not supported with SI tunnels on VSR:
Dest-ip
MC-IPsec
MLDv2 over SI tunnel
SI tunnel are only supported in VSR and 7705 SAR-Hm families.