openswan or other site-to-site ipsec vpn

  • 6 July 2016
  • 2 replies

I'd like to se up a site to site vpn on the cumulus boxes...but I guess that's not supported? Why not?

2 replies

Userlevel 4
The commodity ASICs (Broadcom Trident 2, Mellanox Spectrum, etc) don't support IPSEC in hardware so its a 'non-supported option'. Cumulus Linux is Linux so you can go ahead and configure whatever you want but its going to be CPU punted. You would need to get your own gear and setup a POC for your use case to see if the particular switch you want to buy can support the use-case you want to perform. Typically people are not using single RU switches for site-to-site VPN (our market is Data Center ToR and Spine switches). That being said some customers have used VPN setups for OBM management. I have not seen it used much outside of OBM connectivity for in-band setups...
Was this ever successfully done? I have tried strongswan, but it doesn't look like cumulus OS will allow it to insert routes via table 220