Policy Based VPN
Policy-based VPNs, also called route-based VPNs, function by directing network traffic that adheres to predefined traffic policy rules into a secure IPsec tunnel. This mechanism allows for granular control over type of traffic encrypted and sent through the VPN, as opposed to traditional VPNs that route all traffic through the tunnel.
Configuring Policy-Based VPN
The following steps configure the Policy-Based VPN.
- The IPsec tunnel is configured first as per IPsec Configuration.
switch(config)#interface Tunnel11 switch(config-if-Tu11)# switch(config-if-Tu11)#vrf vrf1 switch(config-if-Tu11)#tunnel mode ipsec switch(config-if-Tu11)#tunnel source 1.0.0.2 switch(config-if-Tu11)#tunnel destination 2.0.0.2 switch(config-if-Tu11)#tunnel ipsec profile prof-1
- Configure the traffic policy and traffic policy rules to match the source and destination prefix and redirect the traffic to an IPsec tunnel.
switch(config)#traffic-policies switch(config-traffic-policies)#traffic-policy p1 switch(config-traffic-policy-p1)#match m1 ipv4 switch(config-traffic-policy-match-p1-m1-ipv4)#source prefix 193.23.65.0/24 switch(config-traffic-policy-match-p1-m1-ipv4)#destination prefix 194.27.52.0/24 switch(config-traffic-policy-match-p1-m1-ipv4)#actions switch(config-traffic-policy-actions-p1-m1)#redirect next-hop interface Tunnel11
- If needed, enable the count action to track any packets matching the rule.
switch(config)#traffic-policies switch(config-traffic-policies)#traffic-policy p1 switch(config-traffic-policy-p1)#match m1 ipv4 switch(config-traffic-policy-match-p1-m1-ipv4)#actions switch(config-traffic-policy-actions-p1-m1)#count
- Apply the traffic policy to an interface or VNI (VXLAN Network Identifier).
switch(config)#interface Ethernet 1 switch(config-if-Et1)#traffic-policy input p1
switch(config)#interface vxlan 1 switch(config-if-Vx1)#vxlan vni 150 traffic-policy input p1
Policy-Based VPN Show Commands
- The show ip security connection lists all IPsec connections, including policy-based connections.
switch#show ip security connection Legend: (P) policy based VPN tunnel Tunnel Source Dest Status Uptime Input Output Rekey Time Tunnel12(P) 1.0.0.2 3.0.0.2 None N/A N/A N/A N/A Tunnel12-conn1 1.0.0.2 3.0.0.2 Idle N/A 0 bytes 0 bytes N/A 0 pkts 0 pkts Tunnel12-conn10 1.0.0.2 3.0.0.2 Idle N/A 0 bytes 0 bytes N/A 0 pkts 0 pkts Tunnel12-conn2 1.0.0.2 3.0.0.2 Idle N/A 0 bytes 0 bytes N/A 0 pkts 0 pkts - The show ip security connection policy command lists all Policy-based VPN IPsec connections.
switch#show ip security connection policy Legend: (P) policy based VPN tunnel Tunnel Source Dest Status Uptime Input Output Rekey Time Tunnel12(P) 1.0.0.2 3.0.0.2 None N/A N/A N/A N/A Tunnel12-conn1 1.0.0.2 3.0.0.2 Idle N/A 0 bytes 0 bytes N/A 0 pkts 0 pkts Tunnel12-conn10 1.0.0.2 3.0.0.2 Idle N/A 0 bytes 0 bytes N/A 0 pkts 0 pkts Tunnel12-conn2 1.0.0.2 3.0.0.2 Idle N/A 0 bytes 0 bytes N/A 0 pkts 0 pkts - The show ip security connection policy Tunnel12-conn5 detail command gives details of a particular Policy based VPN IPsec connection.
switch#show ip security connection policy Tunnel12-conn5 detail Tunnel12-conn5: Source address: 1.0.0.2, Destination address: 3.0.0.2 Traffic Selectors: Source prefix: 192.146.52.0/24, Destination prefix: 195.215.131.0/24 State: established Uptime: 48 seconds VRF: default Inbound SPI: 0xc7b590: Request ID: 53, Mode: tunnel, Replay window size: 16384, Seq: 0x0 Errors: Packets outside replay window: 0, Replay: 0, Integrity failed: 0 Lifetime config: Soft byte limit: 4081180873500, Hard byte limit: 6442450944000 Soft packet limit: 2716069343, Hard packet limit: 4000000000 Soft time limit: 2800 secs, Hard time limit: 3600 secs Lifetime current: Current bytes: 780 Current packets: 5 SA add time: Fri May 31 10:57:30 2024 SA last use time: Fri May 31 10:57:32 2024 Outbound SPI: 0xc048fe: Request ID: 53, Mode: tunnel, Replay window size: 0, Seq: 0x0 Errors: Packets outside replay window: 0, Replay: 0, Integrity failed: 0 Lifetime config: Soft byte limit: 4115718055500, Hard byte limit: 6442450944000 Soft packet limit: 2212084086, Hard packet limit: 4000000000 Soft time limit: 2693 secs, Hard time limit: 3600 secs Lifetime current: Current bytes: 460 Current packets: 5 SA add time: Fri May 31 10:57:30 2024 SA last use time: Fri May 31 10:57:32 2024 - The show traffic-policy interface detail command gives details of traffic policies configured on the system.
switch#show traffic-policy interface detail Traffic policy p1 Configured on input of interfaces: VNI 150 Applied on input of interfaces for IPv4 traffic: VNI 150 (Vlan4094) Applied on input of interfaces for IPv6 traffic: Total number of rules configured: 22 match m1 ipv4 Source prefix: 193.197.184.0/24 Destination prefix: 194.158.149.0/24 Actions: Redirect next hop interface Tunnel11 match m2 ipv4 Source prefix: 193.115.146.0/24 Destination prefix: 194.245.121.0/24 Actions: Redirect next hop interface Tunnel11 match m3 ipv4 Source prefix: 193.164.195.0/24 Destination prefix: 194.170.191.0/24 Actions: Redirect next hop interface Tunnel11 match m4 ipv4 Source prefix: 193.5.3.0/24 Destination prefix: 194.190.79.0/24 Actions: Redirect next hop interface Tunnel11 match m5 ipv4 Source prefix: 193.248.240.0/24 Destination prefix: 194.227.87.0/24 Actions: Redirect next hop interface Tunnel11 match m6 ipv4 Source prefix: 193.166.196.0/24 Destination prefix: 194.204.187.0/24 Actions: Redirect next hop interface Tunnel11