Branch-to-Branch IPsec Tunnel in Versa SD-WAN


In Versa SD-WAN, each Versa-OS (VOS)-based SD-WAN node can support up to 16 WAN circuits. Two SD-WAN nodes can be connected via zero or more underlay transport networks. Even when two devices are connected by multiple underlay transports, all underlay transports share a single security association per tenant.


For example, SD-WAN node1 and SD-WAN node2 may be connected via Broadband, Provider1 MPLS, Provider2 MPLS, and a point-to-point link. All four underlay transports share a single security association per tenant. Based on the tenant’s SD-WAN steering rules, all underlay transports can be used simultaneously.


In addition:

  1. For a single flow (F1), original packets may be sent over Broadband, a replica over Provider1 MPLS, and FEC over Provider2 MPLS.
  2. For a different high-bandwidth flow (F2), where a single underlay cannot satisfy bandwidth requirements, packets may be distributed across Broadband, Provider1 MPLS, Provider2 MPLS, and a point-to-point link for load balancing.





BGP MPLS VPN Network


Versa SD-WAN is based on IETF’s BGP/MPLS VPN and Ethernet/MAC EVPN. These technologies, ratified by the IETF, serve more than 98 percent of service provider networks worldwide. They are highly scalable and have successfully supported the global internet.


To understand how a single security association is set up, consider a typical BGP/MPLS VPN network as shown in Figure 1.


a. PE1 and PE2 are two Provider Edge (PE) routers.

b. PE1 has two physical interfaces facing the MPLS core with IP addresses 192.16.1.1/24 and 192.168.2.1/24. PE1 also has a loopback interface with address 10.1.1.1 in the same control virtual router that runs MP-BGP.

c. PE2 has two physical interfaces facing the MPLS core with IP addresses 192.16.3.5/24 and 192.168.4.5/24. PE2 also has a loopback interface with address 10.5.5.5 in the same control virtual router that runs MP-BGP.

d. P1 through P4 are Provider (P) routers.


Figure 1: Typical BGP MPLS VPN Network



Let us assume that the PE routers use IPsec-based tunnels to carry data traffic. There are two possible approaches:

  1. Set up a full mesh of four IPsec tunnels between PE1 and PE2 using their physical interfaces, as shown in Figure 2:
    a. 192.168.1.1 <-> 192.168.3.5
    b. 192.168.1.1 <-> 192.168.4.5
    c. 192.168.2.1 <-> 192.168.3.5
    d. 192.168.2.1 <-> 192.168.4.5

  3. Set up a single IPsec tunnel between PE1 and PE2 using their loopback interfaces (10.1.1.1 on PE1 and 10.5.5.5 on PE2), as shown in Figure 3. Reachability to these loopbacks is then advertised through the physical or logical interfaces (192.168.1.1, 192.168.2.1) on PE1 and (192.168.3.5, 192.168.4.5) on PE2.




Figure 2: BGP MPLS VPN Network with IPsec Tunnels, which are set up between physical interfaces







Figure 3: BGP MPLS VPN Network with IPsec Tunnels, which are set up between Loopback interfaces


SD-WAN Network


Figure 4 shows a typical SD-WAN intra-network with two SD-WAN Nodes (PE1 and PE2) and two underlay transports: Broadband and MPLS.

  1. PE1 is connected to the broadband network using a physical interface that is in a broadband-transport virtual router, with the address 17.1.1.1/24. PE1 is also connected to an MPLS network via a physical interface in the MPLS-transport virtual router, with the address 192.168.2.1/24.
  2. Similarly, PE2 is connected to the broadband network using a physical interface in a broadband-transport virtual router, with the address 27.2.2.2/24. PE2 is also connected to an MPLS network via a physical interface in the MPLS-transport virtual router, with the address 192.168.4.5/24.

  3. To support a typical SD-WAN deployment, where different access circuits belong to different unrelated transports, Versa creates and uses two loopback addresses in a Control Virtual Router of an SD-WAN node (e.g., PE1) for the following purposes:

    a. One loopback address is used to set up an IKE-based IPsec tunnel with the SD-WAN controller. Once the IKE-based IPsec tunnel is established, the second loopback address (10.1.1.1 on PE1 and 10.5.5.5 as shown in Figure 5) is used to run MP-BGP within this IPsec tunnel with the SD-WAN controller.

    b. The SD-WAN node (PE1) announces SD-WAN-specific information (its own Diffie-Hellman half key) in MP-BGP. The SD-WAN controller reflects this information to all other SD-WAN nodes, such as PE2.

    c. Once PE1 and PE2 learn each other’s Diffie-Hellman half keys, they compute a shared secret unique to them, different from the shared secret with any other SD-WAN node.

    d. This shared secret is used to set up an encrypted tunnel between loopback interface 10.1.1.1 on PE1 and loopback interface 10.5.5.5 on PE2 (Figure 6). This enables Versa SD-WAN nodes to emulate IKEv2 without actually running it, avoiding the state-heavy nature of IKEv2, while still establishing an encrypted IPsec SPID between peers.

    e. Each SD-WAN node (e.g., PE1) sets up a stateless tunnel using VXLAN encapsulation to a peer node (e.g., PE2), using physical interfaces belonging to the same transport domain (Figure 7).

    f. The IPsec-encrypted traffic is carried within this stateless VXLAN tunnel established over the same transport domain (Figure 8).





                Figure 4: Typical SD-WAN Network with multiple underlay networks






    Figure 5: Typical SD-WAN Network with multiple underlay networks and a tenant-specific control virtual router



    Figure 6: SD-WAN Network with tenant-specific encrypted SPID-channel established using loopback interface




        Figure 7: SD-WAN Network with tenant-specific VxLAN tunnel established using physical interfaces in the same transport domain





Figure 8: SD-WAN Network with tenant-specific encrypted SPID-channel carried within a VxLAN tunnel established using physical interfaces in the same transport domain


Conclusion


By establishing an encrypted control channel between loopback addresses within the Control Virtual Router (VR), Versa SD-WAN creates a transport-agnostic overlay tunnel between peer nodes. This enables communication over multiple underlay WAN transports (such as MPLS, Internet, and LTE) while maintaining a single logical encrypted tunnel between SD-WAN peers.


For example, if Branch A and Branch B each have two WAN links (one MPLS and one broadband Internet), traditional vendors typically build separate IPsec tunnels for each WAN path (for example, MPLS-to-MPLS and Internet-to-Internet). This results in multiple tunnel interfaces and increased operational complexity.


In contrast, Versa abstracts the underlay completely by using a control VR loopback-based overlay, presenting a single logical encrypted tunnel between sites regardless of the number of underlying WAN transports. This simplifies tunnel orchestration, improves scalability, and enables intelligent path selection and failover without requiring tunnel reconfiguration.