Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation

Understanding Traffic Selectors in Route-Based VPNs

A traffic selector (also known as a proxy ID in IKEv1) is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. With this feature, you can define multiple traffic selectors within a specific route-based VPN, resulting in a unique Phase 2 IPsec security association (SA) for each traffic selector configured. Only traffic that conforms to a traffic selector is permitted through the associated SA.

In Figure 1, subnetworks 10.1.1.0/24 and 10.1.2.0/24 are behind device A while subnetworks 20.1.1.0/24 and 20.1.2.0/24 are behind device B.

Figure 1: Traffic Selector Example

 Traffic Selector Example

For traffic to flow from a subnetwork behind device A to a subnetwork behind device B, four traffic selectors are configured on device A. For each traffic selector, different tunnels and Phase 2 SAs are allocated as shown in Table 1:

Table 1: Example Traffic Selector Pairs

Local Address

Remote Address

Tunnel

Phase 2 SA

10.1.1.0/24

20.1.1.0/24

1

1

10.1.1.0/24

20.1.2.0/24

2

2

10.1.2.0/24

20.1.1.0/24

3

3

10.1.2.0/24

20.1.2.0/24

4

4

For a given traffic selector, only a single address or subnetwork can be specified for the local and remote addresses. Traffic selectors can be configured with IPv4 or IPv6 addresses. Address books cannot be used to specify local or remote addresses.

Multiple traffic selectors can be configured for the same VPN. A maximum of 200 traffic selectors can be configured for each VPN. Traffic selectors can be used with IPv4-in-IPv4, IPv4-in-IPv6, IPv6-in-IPv6, or IPv6-in-IPv4 tunnel modes. Traffic selectors are supported with IKEv1 only.

Traffic selectors configured in VPN peers must exactly match local and remote IP subnetworks. For example, the local and remote IP addresses specified for a traffic selector on device A must exactly match the remote and local IP addresses specified for a traffic selector on peer device B.

When traffic selectors are configured, static routes are automatically added during configuration processing or when traffic selectors are negotiated; this process is known as reverse route insertion (RRI). These routes might conflict with those that are populated through routing protocols. We recommend that you do not configure routing protocols on st0 interfaces that are bound to VPNs where traffic selectors are configured.

When a traffic selector is deleted, all corresponding IPsec SAs, routes, and tunnel sessions are cleared. This might affect traffic passing through these tunnels.

When a traffic selector is modified, deleted, or added, traffic selectors that follow it in the configuration are affected. The tunnels, SAs, and routes are cleared and reinstalled. Traffic selectors that precede the new or modified traffic selector in the configuration are unaffected.

For example, three traffic selectors are configured for the same VPN in the following order:

  1. ts-red
  2. ts-blue
  3. ts-green

If you modify the local or remote IP address in ts-blue, the tunnels, SAs, and routes for ts-blue and ts-green are cleared; the tunnel, SA, and route associated with ts-red are not affected. If you delete ts-blue, the tunnel, SA, and route associated with ts-green are cleared; the tunnel, SA, and route associated with ts-red are not affected. If ts-white is inserted after ts-blue, the tunnels, SAs, and routes associated with ts-white and ts-green are cleared; the tunnels, SAs, and routes associated with ts-red and ts-blue are not affected.

Traffic selectors cannot be configured with the following features:

  • Policy-based VPNs
  • Group or shared IKE IDs
  • IKE version 2
  • Point-to-multipoint secure tunnel (st0) interfaces
  • VPNs on which VPN monitoring is configured
  • Different address families configured for the local and remote IP addresses
  • VPNs configured with proxy identity values used in negotiation
  • Remote address value 0.0.0.0/0 (IPv4) or 0::0 (IPv6)

To configure a traffic selector, use the traffic-selector configuration statement at the [edit security ipsec vpn vpn-name] hierarchy level. The traffic selector is defined with the mandatory local-ip ip-address and remote-ip ip-address statements. The CLI operational command show security ipsec security-association detail displays traffic selector information for SAs. The show security ipsec security-association traffic-selector traffic-selector-name CLI command displays information for a specified traffic selector.

Modified: 2016-07-06