IPsec tunnelers overview
An IPsec tunneler is a managed bridge that lets a remote site reach services on your network — and lets your services reach back into the remote site — over a standard IPsec tunnel, without installing any NetFoundry software at the remote site. The site's existing firewall, router, or VPN appliance peers with the bridge exactly like any other site-to-site VPN.
NetFoundry provisions and operates the bridge for you. It speaks two protocols at once: standard IPsec (IKEv2) toward the remote site, and OpenZiti toward your network, where a managed edge router carries traffic across the overlay. You configure only the IPsec side; the OpenZiti side is fully managed.
How it works
Each tunneler is a dedicated bridge VM (deployed in us-east-1) running strongSwan for the IPsec side and an OpenZiti
edge router for the overlay side. Forwarding between the two is fixed: IPsec traffic can only reach the edge router, and
the edge router can only reach the IPsec side. The remote site connects over IPsec, and traffic crosses the OpenZiti
overlay to and from your network.
Bidirectional traffic
The key difference from an ingress-only connection is that traffic flows both ways:
- Remote site → your services: Endpoints at the remote site reach services on your network as if they were local.
- Your services → remote site: Services on your network reach hosts behind the remote site's IPsec device.
To reach OpenZiti services, the remote site resolves service hostnames through the bridge's DNS resolver to virtual IPs
in the 100.64.0.0/10 intercept range and routes that range into the tunnel. The exact values are in the configuration
NetFoundry generates for each tunneler — see Create an IPsec
tunneler.
Security model
- Constrained entry point: Each tunneler gets its own security group that accepts inbound traffic only from the
remote site's public IP, and only on the IPsec ports (UDP
500and4500). - Zero trust on the overlay: The IPsec entry point itself is a conventional VPN, so it isn't zero trust. But once traffic is on the OpenZiti network, the zero-trust model applies — the bridge is just another identity, and it can't reach anything until you authorize a service to it. With no service defined, it reaches nothing. This is the same model as zero-trust host access.
- Pre-shared key: NetFoundry generates the pre-shared key (PSK) that authenticates the tunnel. Treat it like a password and deliver it to the remote site over a secure channel.
Status
A tunneler's status reflects whether the IPsec connection has come up:
- Green: The tunnel is up.
- Orange: The tunnel was up but is currently offline.
- Gray: The tunnel has never connected.
During rekey events the connection briefly re-establishes, which can leave short gaps in the metrics graphs.
Console reference
IPsec Tunnelers table
The IPsec Tunnelers section lists the tunnelers on your network.
| Column | Description |
|---|---|
| Name | The user-defined name for the tunneler. |
| Customer IP | The public IPv4 address of the remote site's IPsec device. |
| Region | The region where the bridge is deployed (for example, us-east-1). |
| Status | The provisioning state of the bridge (for example, PROVISIONED). |
| Config | Downloads the generated connection configuration for the remote site's IPsec device. |
Tunneler detail tabs
Open a tunneler to see three tabs:
- Overview: NetFoundry hosting details (status, region, bridge IP, the tunneler's identity), tunnel info (customer public IP, customer peer CIDRs, last heartbeat), and the services and service policies associated with the tunneler.
- IPsec: An IPsec snapshot (IKE Phase 1 state, IKEs connected, when IKE was established, bridge CPU and memory, last
seen), the Child SAs (Phase 2), and bridge logs filterable by window and by kind (
charonfor the strongSwan IKE daemon, orziti-edge-tunnel). - Metrics: Time-series graphs for throughput (rx/tx), liveness, and bridge CPU/memory. Red bands mark IKE_SA (Phase 1) outages and amber dashed lines mark CHILD_SA (Phase 2) rekey moments.