49.1. Overview

AIPT2 is the second version of the Abilis IP tunnel protocol. This new type of resource offers the possibility to create a tunnel with up to 6 paths, and use them for load balancing and/or for redundancy (former AIPT double path now AIPT2 multipath), as well as for backup purposes by means of dependency setting. It simplifies configurations and improves performances.

[Important]Important

AIPT2 works only with Abilis devices with software version > 8.6.

AIPT2 serves to achieve these goals:

One side of the AIPT2 tunnel must be configured as a ‘server’, the other as a ‘client’. The server side requires a valid address on the Internet (type 82.33.143.22 or FQDN), the client side is independent of the addresses. It is the client's responsibility to establish the connection to the desired server. If the server has multiple addresses, the list can be indicated.

The authentication of the client by the server takes place through protected/encrypted modes, making use of the client's Abilis-ID or a pair of "keys" (LOCKEY, REMKEY).

AIPT2 uses 256 bit AES encryption. The encrypted packets are sent on the available lines (paths) according to the chosen operating mode (PATHSMODE: BALANCE or REDUNDANT or MIXED). In the BALANCE operating mode the packets are distributed on the available paths, thus allowing a more rapid transmission of information. In the REDUNDANT operating mode, a copy of each packet is transmitted by means of each path designated for this service. How each path must work is indicated by the MPx parameter (MP1 for path 1, MP2 for path 2, ...).

The correct functionality of each path is controlled by AIPT2 by means of the periodic exchange of probe packets (LC link-check). When a path fails to give the requested service it is automatically taken out of service (and readmitted, when the operating conditions are good again).

The correct functionality of each path depends on how much the lines are loaded. In case of overload, there is a high loss of packets and this causes the deterioration of the performance of the AIPT2 connection, especially when the paths are used in BALANCE mode. To prevent this from happening at least in "normal" network conditions, the AIPT2 paths are speed-regulated, so as not to exceed the normal line capacity (OUTSPx parameters).

The configuration of the AIPT2 tunnels is complex, but fortunately in most cases only a few parameters have to be entered, the others remaining at default values.

In VPN networks with many similar peripheral points it is appropriate to use the PROVISIONING system, described here.

The main characteristics of AIPT2 are:

[Important]Important

The tunnel packets, i.e. control and encapsulated payload, that AIPT2 sends out obey IPACL for all parameters except for IPCOS which is enforced by means of C-IPCOS and D-IPCOS parameters. On the contrary the clean payload, i.e. decapsulated packets, fully obey IPACL.

In the example below:

Server:

[21:56:35] ABILIS_CPX:d p ip-11

RES:Ip-11 ---------------------------------------------------------------------
       - Abilis IP tunnel v.2 (AIPT2) -----------------------------------------
Run    DESCR:
       LOCATION:
       OPSTATE:UP              LOG:NO            STATE-DETECT:NORMAL  TYPE:VPN
       IPADD:172.020.011.205   MASK:255.255.255.000   NEIGH:000.000.000.000
       REDIS:YES     HIDE:NO         RP:NONE            IPSEC:NO       VRRP:NO
       NAT:VPN                       DIFFSERV:NO        DDNS:NO
       OUTBUF:250    OUTQUEUE:FAIR   MTU:1500
       OUTSPL:NO
       INBUF:0                       mru:1500           SRCV:NO
       - TRFA section ---------------------------------------------------------
       TRFA:NO
       - IP Tunnel ------------------------------------------------------------
       ROLE:SERVER   CR:NO     COMP:NO       FRAGSIZE:1480  TRY:5     TOUT:5000
       LOCKEY:ip11             LOCPORT:4011  C-TOS:0-D      DLY-UP:10 THR-DN:30
       REMKEY:ip11                           C-IPCOS:HIGH   DLY-TOUT:3
       REMABILIS-ID:           RS-BUF:250    D-TOS:COPY     BURST:1
       NUMPATHS:6              REORDER:NO    D-IPCOS:COPY   BURST-DLY:100
       PATHSMODE:MIXED
       - IP Tunnel Paths ------------------------------------------------------
       x  MPx: OUTSPx: OUTx:  LOCIPx:         REMIPx:
                       GWx:                   SPL-OVHx:
       --+----+-------+------+---------------+---------------------------------
       1 |     NOMAX   AUTO   *               *
       2 |     NOMAX   AUTO   *               *
       3 |     NOMAX   AUTO   *               *
       4 |A    NOMAX   AUTO   *               *
       5 |A    NOMAX   AUTO   *               *
       6 |     NOMAX   AUTO   *               *

Client:

[21:53:49] ABILIS_CPX:d p ip-11

RES:Ip-11 ---------------------------------------------------------------------
       - Abilis IP tunnel v.2 (AIPT2) -----------------------------------------
Run    DESCR:
       LOCATION:
       OPSTATE:UP              LOG:NO            STATE-DETECT:NORMAL  TYPE:VPN
       IPADD:172.020.011.206   MASK:255.255.255.000   NEIGH:000.000.000.000
       REDIS:YES     HIDE:NO         RP:NONE            IPSEC:NO       VRRP:NO
       NAT:VPN                       DIFFSERV:NO        DDNS:NO
       OUTBUF:250    OUTQUEUE:FAIR   MTU:1500
       OUTSPL:NO
       INBUF:0                       mru:1500           SRCV:NO
       - TRFA section ---------------------------------------------------------
       TRFA:NO
       - IP Tunnel ------------------------------------------------------------
       ROLE:CLIENT                           FRAGSIZE:1480  TRY:5     TOUT:5000
       LOCKEY:ip11             LOCPORT:4011  C-TOS:0-D      DLY-UP:10 THR-DN:30
       REMKEY:ip11             REMPORT:4011  C-IPCOS:HIGH   DLY-TOUT:3
       REMABILIS-ID:           RS-BUF:250    D-TOS:0-N      BURST:1
       NUMPATHS:6              REORDER:AUTO  D-IPCOS:COPY   BURST-DLY:100
       PATHSMODE:MIXED
       - IP Tunnel Paths ------------------------------------------------------
       x  MPx: OUTSPx: OUTx:  LOCIPx:         REMIPx:
          DEPx:        GWx:                   SPL-OVHx:
       --+----+-------+------+---------------+---------------------------------
       1 |     NOMAX   AUTO   OUT-IP          #
       2 |     NOMAX   AUTO   OUT-IP          172.020.002.205
       3 |     NOMAX   AUTO   OUT-IP          172.020.003.205
       4 |A    NOMAX   AUTO   OUT-IP          172.020.004.205
       5 |A    NOMAX   AUTO   OUT-IP          172.020.005.205
       6 |     NOMAX   AUTO   OUT-IP          172.020.006.205
          2|3          #                      AUTO