|
XFRM interfaces are similar to VTI devices in their basic functionality but
offer several advantages:
* No tunnel endpoint addresses have to be configured on the interfaces.
Compared to VTIs, which are layer 3 tunnel devices with mandatory endpoints,
this resolves issues with wildcard addresses (only one VTI with wildcard
endpoints is supported), avoids a 1:1 mapping between SAs and interfaces, and
easily allows SAs with multiple peers to share the same interface.
* Because there are no endpoint addresses, IPv4 and IPv6 SAs are supported on
the same interface (VTI devices only support one address family).
* IPsec modes other than tunnel are supported (VTI devices only support
tunnel mode).
* No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier
(XFRM interface ID) links policies and SAs with XFRM interfaces.
|
