Solved: Re: encapsulation ipsec on vBond ?

SaidB · ‎08-18-2021

Hi all,

I have a question regarding configuring a vEdge as a vBond...

I was following this Cisco Live document on how to create a SDWAN home lab

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/LTRRST-2734-LG.pdf

On page 27 it says you have to specify encapsulation ipsec on the tunnel interface of the vBond (and only for the vBond, neither for the vSmarts nor for the vManage)

My understanding is that the vBond only creates permanent DTLS tunnels with the vSmart and vManage and temporary DTLS tunnels with Wan Edge routers for discovery and authentication purposes. So at no point does the vBond need an IPSec encapsulation in its tunnel interface since it will never use IPSec.

So what’s the point of the ipsec encapsulation configuration under the tunnel interface ?

Thanks

SB

Kanan Huseynli · ‎08-19-2021

Hi,

vbond is natively vedge-cloud device. In most networks dedicated vbond is created (without vedge functionality) with configuring "vbond only". But i any case since it is natively router, operating system requires "encapsulation" command under tunnel-interface.

In reality it has no meaning and effect, because vbond only device does not create ipsec or gre tunnel with any of devices.

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

SaidB · ‎08-19-2021

Hi Kanan,

Thansk for your answer.

This is what I was thinking, but I didn't get an "official" answer.

Regards

SB

View solution in original post

svemulap@cisco.com · ‎08-18-2021

Yes. Technically, Tunnel Interface under VPN0 is not needed. It is more of additional protection to the device. Hope it helps.

SaidB · ‎08-18-2021

Hi Svemulap,

Thanks for your answer.

However, I'm not talking about the "tunnel-interface" command under VPN0.

The "tunnel-interface" command is needed :

- On vBond, vSmart and vManage for them to be able to create control connections over DTLS/TLS to other controllers or to WAN Edge devices.

- On the WAN edge devices to setup control connections over DTLS/TLS to vBond, vSmart and vManage, and to setup data connections over IPsec to other WAN Edges.

My question is :

When we configure the tunnel interface on vManage and vSmart, we don't add the encapsulation ipsec command, which makes perfect sense since vManage and vSmart never setup ipsec tunnels to any other devices in the Fabric, only DTLS/TLS tunnels. So why on earth do we need to add it under the tunnel-interface configuration in the vBond, which also never setup ipsec tunnels to any other devices in the Fabric ?

I hope my question is now clearer.

Now, is it because the vBond is actually a vEdge cloud router configured as a vBond ? And because it is initially a vEdge, thus it is mandatory for the encapsulation type to be mentionned under the tunnel-interface configuration, even though it will not be used irl ?

If someone can clear it up for me, I would be grateful.

Thanks and best regards

SB

Ariyarathna · ‎10-14-2021

Hi ,

Can you please explain why we need to configure tunnel interface to communicate between vManage ,vBond and vSmart.If we have DTLS connections between them , cant we use the physical interface ?

Kanan Huseynli · ‎08-19-2021

Hi,