Transport WAN VPN IPsec Interface Feature

Configure IPsec interface under the WAN VPN (VPN 0)

Diagram

Classes

wan_vpn (sdwan.feature_profiles.transport_profiles)

Name	Type	Constraint	Mandatory	Default Value
ipsec_interfaces	List	`[ipsec_interfaces]`	No

ipsec_interfaces (sdwan.feature_profiles.transport_profiles.wan_vpn)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[^&<>! "]{1,128}$`	Yes
description	String		No
application_tunnel_type	Choice	`none`, `sig`	No	`none`
application_tunnel_type_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
clear_dont_fragment	Boolean	`true`, `false`	No
clear_dont_fragment_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
dpd_interval	Integer	min: `10`, max: `3600`	No
dpd_interval_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
dpd_retries	Integer	min: `2`, max: `60`	No
dpd_retries_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ike_cipher_suite	Choice	`aes256-cbc-sha1`, `aes256-cbc-sha2`, `aes128-cbc-sha1`, `aes128-cbc-sha2`	No
ike_cipher_suite_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ike_diffie_hellman_group	Choice	`2`, `14`, `15`, `16`, `19`, `20`, `21`, `24`	No
ike_diffie_hellman_group_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ike_integrity_protocol	Choice	`main`, `aggressive`	No
ike_integrity_protocol_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ike_local_endpoint_id	String	min: `1`, max: `63`	No
ike_local_endpoint_id_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ike_preshared_key	String	min: `1`, max: `127`	No
ike_preshared_key_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ike_rekey_interval	Integer	min: `60`, max: `86400`	No
ike_rekey_interval_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ike_remote_endpoint_id	String	min: `1`, max: `63`	No
ike_remote_endpoint_id_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ike_version	Integer	min: `1`, max: `2`	No
interface_description	String	min: `0`, max: `240`	No
interface_description_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
interface_name	String	Regex: `^ipsec\d{1,3}$`	No
interface_name_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ipsec_cipher_suite	Choice	`aes256-cbc-sha1`, `aes256-cbc-sha256`, `aes256-cbc-sha384`, `aes256-cbc-sha512`, `aes256-gcm`, `null-sha1`, `null-sha256`, `null-sha384`, `null-sha512`	No
ipsec_cipher_suite_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ipsec_perfect_forward_secrecy	Choice	`group-1`, `group-2`, `group-5`, `group-14`, `group-15`, `group-16`, `group-19`, `group-20`, `group-21`, `group-24`, `none`	No
ipsec_perfect_forward_secrecy_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ipsec_rekey_interval	Integer	min: `120`, max: `2592000`	No
ipsec_rekey_interval_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ipsec_replay_window	Integer	min: `64`, max: `4096`	No
ipsec_replay_window_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ipv4_address	IP		No
ipv4_address_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ipv4_mtu	Integer	min: `68`, max: `9216`	No
ipv4_mtu_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ipv4_subnet_mask	Choice	`255.255.255.255`, `255.255.255.254`, `255.255.255.252`, `255.255.255.248`, `255.255.255.240`, `255.255.255.224`, `255.255.255.192`, `255.255.255.128`, `255.255.255.0`, `255.255.254.0`, `255.255.252.0`, `255.255.248.0`, `255.255.240.0`, `255.255.224.0`, `255.255.192.0`, `255.255.128.0`, `255.255.0.0`, `255.254.0.0`, `255.252.0.0`, `255.240.0.0`, `255.224.0.0`, `255.192.0.0`, `255.128.0.0`, `255.0.0.0`, `254.0.0.0`, `252.0.0.0`, `248.0.0.0`, `240.0.0.0`, `224.0.0.0`, `192.0.0.0`, `128.0.0.0`, `0.0.0.0`	No
ipv4_subnet_mask_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ipv4_tcp_mss	Integer	min: `500`, max: `1460`	No
ipv4_tcp_mss_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ipv6_address	String	Regex: ((^\s((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}\|:))\|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}\|((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3})\|:))\|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})\|:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3})\|:))\|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})\|((:[0-9A-Fa-f]{1,4})?:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:))\|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})\|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:))\|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})\|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:))\|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})\|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:))\|(:(((:[0-9A-Fa-f]{1,4}){1,7})\|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:)))(%.+)?\s(\/)(\b([0-9]{1,2}\|1[01][0-9]\|12[0-8])\b)$))	No
ipv6_address_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ipv6_mtu	Integer	min: `1280`, max: `9976`	No
ipv6_mtu_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
ipv6_tcp_mss	Integer	min: `40`, max: `1454`	No
ipv6_tcp_mss_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
multiplexing	Boolean	`true`, `false`	No
multiplexing_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
shutdown	Boolean	`true`, `false`	No
shutdown_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
tracker_id	String		No
tracker_id_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
tunnel_destination_ipv4_address	IP		No
tunnel_destination_ipv4_address_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
tunnel_destination_ipv6_address	IP		No
tunnel_destination_ipv6_address_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
tunnel_mode	Choice	`ipv4`, `ipv6`, `ipv4-v6overlay`	No
tunnel_route_via	String	min: `1`, max: `32`	No
tunnel_route_via_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
tunnel_source_interface	String	Regex: (ATM\|ATM-ACR\|AppGigabitEthernet\|AppNav-Compress\|AppNav-UnCompress\|Async\|BD-VIF\|BDI\|CEM\|CEM-ACR\|Cellular\|Dialer\|Embedded-Service-Engine\|Ethernet\|Ethernet-Internal\|FastEthernet\|FiftyGigabitEthernet\|FiveGigabitEthernet\|FortyGigabitEthernet\|FourHundredGigE\|GMPLS\|GigabitEthernet\|Group-Async\|HundredGigE\|L2LISP\|LISP\|Loopback\|MFR\|Multilink\|Port-channel\|SM\|Serial\|Service-Engine\|TenGigabitEthernet\|Tunnel\|TwentyFiveGigE\|TwentyFiveGigabitEthernet\|TwoGigabitEthernet\|TwoHundredGigE\|Vif\|Virtual-PPP\|Virtual-Template\|VirtualPortGroup\|Vlan\|Wlan-GigabitEthernet\|nat64\|nat66\|ntp\|nve\|ospfv3\|overlay\|pseudowire\|ucse\|vasileft\|vasiright\|vmi)([0-9](. ?[1-9][0-9])*\|[0-9/]+\|[0-9]+/[0-9]+/[0-9]+:[0-9]+\|[0-9]+/[0-9]+/[0-9]+\|[0-9]+/[0-9]+\|[0-9]+)	No
tunnel_source_interface_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
tunnel_source_ipv4_address	IP		No
tunnel_source_ipv4_address_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No
tunnel_source_ipv6_address	IP		No
tunnel_source_ipv6_address_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,128}$`	No

Examples

Example-1: This example demonstrates two methods for configuring IPsec interfaces under the wan_vpn feature within a transport profile using IPv4 tunnel mode. IPSEC-1 is configured with an explicit tunnel source IPv4 address, while IPSEC-2 references a tunnel source interface.

sdwan:
  feature_profiles:
    transport_profiles:
      - name: transport1
        wan_vpn:
          name: wan_vpn
          ipsec_interfaces:
            - name: IPSEC-1
              description: IPSEC Interface 1
              interface_name: ipsec1
              ipv4_address: 3.3.3.1
              ipv4_subnet_mask: 255.255.255.252
              ike_preshared_key: mysecret
              shutdown: false
              tunnel_destination_ipv4_address: 2.2.2.2
              tunnel_source_ipv4_address: 1.1.1.1
            - name: IPSEC-2
              description: IPSEC Interface 2
              interface_name: ipsec2
              ike_preshared_key: mysecret
              shutdown: false
              tunnel_destination_ipv4_address: 3.3.3.3
              tunnel_mode: ipv4
              tunnel_source_interface: GigabitEthernet2

Example-2: This example demonstrates IPsec interface configuration using IPv6 tunnel modes. IPSEC-3 is configured with pure IPv6 tunnel mode, while IPSEC-4 uses IPv4-v6overlay mode to transport IPv6 traffic over an IPv4 tunnel.

sdwan:
  feature_profiles:
    transport_profiles:
      - name: transport1
        wan_vpn:
          name: wan_vpn
          ipsec_interfaces:
            - name: IPSEC-3
              description: IPSEC Interface 3
              interface_name: ipsec3
              ipv6_address: 2001:db8:1::1/128
              ike_preshared_key: mysecret3
              shutdown: false
              tunnel_destination_ipv6_address: 2001:db8:3::1
              tunnel_mode: ipv6
              tunnel_source_ipv6_address: 2001:db8:2::1
            - name: IPSEC-4
              description: IPSEC Interface 4
              interface_name: ipsec4
              ipv6_address: 2001:db8:4::2/128
              ike_preshared_key: mysecret4
              shutdown: false
              tunnel_destination_ipv4_address: 7.7.7.7
              tunnel_mode: ipv4-v6overlay
              tunnel_source_interface: GigabitEthernet1