openswan or other site-to-site ipsec vpn

  • 1
  • Question
  • Updated 1 year ago
I'd like to se up a site to site vpn on the cumulus boxes...but I guess that's not supported?  Why not?
Photo of Sean Abbott

Sean Abbott

  • 70 Points

Posted 2 years ago

  • 1
Photo of Sean Cavanaugh

Sean Cavanaugh, Alum

  • 3,360 Points 3k badge 2x thumb
The commodity ASICs (Broadcom Trident 2, Mellanox Spectrum, etc) don't support IPSEC in hardware so its a 'non-supported option'.  Cumulus Linux is Linux so you can go ahead and configure whatever you want but its going to be CPU punted.  You would need to get your own gear and setup a POC for your use case to see if the particular switch you want to buy can support the use-case you want to perform.  Typically people are not using single RU switches for site-to-site VPN (our market is Data Center ToR and Spine switches).  That being said some customers have used VPN setups for OBM management.  I have not seen it used much outside of OBM connectivity for in-band setups...
Photo of Michael Gibbs

Michael Gibbs

  • 90 Points 75 badge 2x thumb
Was this ever successfully done?  I have tried strongswan, but it doesn't look like cumulus OS will allow it to insert routes via table 220