Fabric IPsec Gateway Fundamentals

The Fabric IPsec Gateway feature introduces a Virtual Machine (VM) that supports aggregation of Fabric Extend Tunnels with fragmentation, reassembly, and Internet Protocol Security (IPsec) encryption functions.

The minimum configuration requirements for the Fabric IPsec Gateway VM are as follows:

To configure IPsec on a switch through the Fabric IPsec Gateway VM, see Fabric IPsec Gateway Configuration using CLI.

Fabric IPsec Gateway supports the following services through the VM:

IPsec Coupled and Decoupled Mode

A device is in IPsec decoupled mode when IPsec and Fabric Extend (FE) termination takes place on two different IP addresses. A device is in IPsec coupled mode when IPsec and Fabric Extend (FE) termination takes place on the same IP address.

The XA1400 Series devices, which use VOSS for Fabric Extend over IPsec, support both IPsec decoupled and coupled modes. The VSP 4900 Series and VSP 7400 Series devices, which use Fabric IPsec Gateway for Fabric Extend over IPsec, support IPsec in decoupled mode only. You must configure the IPsec tunnel in decoupled mode to enable IPsec termination in the Fabric IPsec Gateway VM. For more information about how to configure IPsec tunnels on the VM, see Configure IPsec Tunnels on Fabric IPsec Gateway VM.