public icon indicating copy to clipboard operation
public copied to clipboard
verified publisher icon openconfig

Add IPsec module to OpenConfig

Open thatnealpatel opened this issue 3 years ago • 0 comments

IPsec for OpenConfig YANG

I am opening this issue to discuss and track my progress on bringing the following module to fruition.

Goals

  • Introduce new module to OpenConfig which supports the general use-case of establishing cloud-based IPsec VPN connections

Non-goals

  • Support bespoke configurations for point-to-point IPsec VPN
  • Support Client VPN use-cases

Background

All cloud-based VPNs have similar set-up procedures with regard to configuration. These steps are largely documented on a cloud provider's website and exist as CLI text. However, bringing up an IPsec VPN connection involves the same components regardless of provider:

  • Configuring interfaces for internal/external facing networks
  • Configuring IKE Phase 1 and Phase 2
  • Configuring tunnel interfaces [out of scope, optional for IPsec deployments]
  • Configuring dynamic routing protocols (BGP)

Open Questions

  1. In the most general cases, tunnels are bound to interfaces and then given a BGP address from which to receive routes. How intertwined are BGP+IPsec deployments? What does an integration between bgp and ipsec YANG models look like?

thatnealpatel avatar Jun 15 '22 19:06 thatnealpatel