Configuring a Tunnel Interface

A tunnel interface is a doorway to a VPN tunnel. VPN traffic enters and exits a VPN tunnel through a tunnel interface. When you bind a tunnel interface to a VPN tunnel, you can use that tunnel interface to route VPN traffic to a specific destination.

Note: VPN Manager automatically creates the necessary tunnel interfaces for route-based VPNs. The user can set DSCP marking value for the interface. Only Route and Policy and Route-based types support DSCP marking. For device-level VPNs, you can create the tunnel interfaces before or after creating the VPN.

When creating a route-based VPNs you must create a tunnel interface to enable the security device to route VPN traffic. You can bind a route-based VPN tunnel to a tunnel interface that is either numbered (with IP address/netmask) or unnumbered (without IP address/netmask).

Using Numbered Tunnel Interfaces

When the tunnel interface is numbered, you must give the interface an IP address and bind the tunnel interface to a tunnel zone. Using numbered tunnel interfaces enables you to use NAT services for policy-based VPN tunnels. Assign an IP address to a tunnel interface if you want the interface to support one or more dynamic IP (DIP) pools for source Network Address Translation (NAT-src) and mapped IP (MIP) addresses for destination Network Address Translation (NAT-dst).

You can create a numbered tunnel interface in a security zone or a tunnel zone.

Using Unnumbered Tunnel Interfaces

When the tunnel interface is unnumbered, you must specify the interface from which the tunnel interface borrows an IP address. The security device uses the borrowed IP address as a source address when the device itself initiates traffic—such as OSPF messages—through the tunnel. Use unnumbered tunnel interfaces when the tunnel interface does not need to support NAT services, and your configuration does not require the tunnel interface to be bound to a tunnel zone.

You can create an unnumbered tunnel interface that borrows the IP address from an interface in the same security zone or from an interface in a different zone, as long as both zones are in the same routing domain. However, you cannot bind the tunnel interface to a tunnel zone.

Configuring Maximum Transmission Unit Size

The MTU size option is only supported by some security devices. As packets traverse different networks, a networking component sometimes needs to break a packet into smaller pieces (fragments) based upon the maximum transmission unit (MTU) of each network. The networking component for the destination network must then reassemble the received fragments into a packet. Because fragmentation and reassembly can impact network performance, you might want to fragment a packet destined for a VPN tunnel as it passes through the tunnel interface (before the packet is encrypted and/or encapsulated).

For devices running ScreenOS 5.1 and later, you can define an MTU size that controls the size of packets sent through the tunnel. When the tunnel interface receives the packet, it breaks the packet into fragments based on the specified MTU size, encrypts and/or encapsulates each fragment, and then sends the traffic through the tunnel. As these packets (fragments) pass through other networks, they might be small enough that networking components do not need to perform further fragmentation—which reduces the network load and can decrease the time it takes to send VPN traffic. The receiving networking component (security device or external device) must still reassemble the fragments as they exit the other end of the VPN tunnel.

To configure an MTU size for a tunnel interface, in the tunnel interface navigation tree, select Advanced Properties and enter a value for MTU Size. By default, the size is set to none (the interface does fragment packets entering a VPN tunnel). The acceptable range is from 800 to 1500.

Related Documentation