Ali, et al,

One of the requirement you stated in the document is (under the section 2.3)

   "1) Per pair of PEs: A single IPsec tunnel between a pair of PEs to be used 
for all tenants' traffic supported by the pair of PEs."

Assuming that the solution is intended for SD-WAN.  The SD-WAN edge nodes 
usually have some ports connected to trusted domain (e.g. MPLS network) which 
doesn't need IPsec tunnel, and some ports connected to untrusted domain (e.g. 
Internet) which needs IPsec tunnel. Therefore, for PE based IPsec tunnel, it is 
necessary to associate the WAN ports (facing untrusted domain) with the IPsec 

Actually, even for other granularity (such as Per tenant, Per Subnet, or per 
IP) IPsec tunnels, it is necessary to associate with the WAN ports as well 
because the trusted domain doesn't need IPsec SA.

Linda Dunbar

BESS mailing list

Reply via email to