diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md
index d84487ab92c..708edc77ebc 100644
--- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md
+++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md
@@ -3242,6 +3242,8 @@ mac address-table notification host-flap detection moves 2
- Hardware encryption is disabled
+- Match source interface of the IPSec connection is enabled
+
### IKE policies
| Policy name | IKE lifetime | Encryption | DH group | Local ID | Integrity |
@@ -3352,6 +3354,7 @@ ip security
key controller
profile Profile-1
hardware encryption disabled
+ connection tx-interface match source-ip
```
## Interfaces
diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg
index e213b30b800..a392ea52dcf 100644
--- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg
+++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg
@@ -1600,6 +1600,7 @@ ip security
key controller
profile Profile-1
hardware encryption disabled
+ connection tx-interface match source-ip
!
mac security
license license1 123456
diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/ip-security.yml b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/ip-security.yml
index 9e37b73ee72..84af139cb10 100644
--- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/ip-security.yml
+++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/ip-security.yml
@@ -80,3 +80,4 @@ ip_security:
key_controller:
profile: Profile-1
hardware_encryption_disabled: true
+ connection_tx_interface_match_source_ip: true
diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md
index 858fd11266f..8e06af5a8ab 100644
--- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md
+++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md
@@ -40,6 +40,7 @@
| [ key_controller](## "ip_security.key_controller") | Dictionary | | | | |
| [ profile](## "ip_security.key_controller.profile") | String | | | | IPsec profile name to use. |
| [ hardware_encryption_disabled](## "ip_security.hardware_encryption_disabled") | Boolean | | `False` | | Disable hardware encryption.
An SFE restart is needed for this change to take effect. |
+ | [ connection_tx_interface_match_source_ip](## "ip_security.connection_tx_interface_match_source_ip") | Boolean | | | | Match source interface of the IPsec connection. |
=== "YAML"
@@ -141,4 +142,7 @@
# Disable hardware encryption.
# An SFE restart is needed for this change to take effect.
hardware_encryption_disabled:
+
+ # Match source interface of the IPsec connection.
+ connection_tx_interface_match_source_ip:
```
diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/ip-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/ip-security.j2
index d8d5dfc04f7..bf75399e067 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/ip-security.j2
+++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/ip-security.j2
@@ -11,6 +11,10 @@
- Hardware encryption is disabled
{% endif %}
+{% if ip_security.connection_tx_interface_match_source_ip is arista.avd.defined(true) %}
+
+- Match source interface of the IPSec connection is enabled
+{% endif %}
{% if ip_security.ike_policies is arista.avd.defined %}
### IKE policies
diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/ip-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/ip-security.j2
index 086306aca1f..a30ff043e5b 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/ip-security.j2
+++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/ip-security.j2
@@ -89,4 +89,7 @@ ip security
{% if ip_security.hardware_encryption_disabled is arista.avd.defined(true) %}
hardware encryption disabled
{% endif %}
+{% if ip_security.connection_tx_interface_match_source_ip is arista.avd.defined(true) %}
+ connection tx-interface match source-ip
+{% endif %}
{% endif %}
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py b/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py
index 6614afafb4c..f224ee8115e 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py
+++ b/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py
@@ -17099,6 +17099,7 @@ def __init__(self, *, profile: str | None | UndefinedType = Undefined, _custom_d
"profiles": {"type": Profiles},
"key_controller": {"type": KeyController},
"hardware_encryption_disabled": {"type": bool, "default": False},
+ "connection_tx_interface_match_source_ip": {"type": bool},
"_custom_data": {"type": dict},
}
ike_policies: IkePolicies
@@ -17131,6 +17132,8 @@ def __init__(self, *, profile: str | None | UndefinedType = Undefined, _custom_d
Default value: `False`
"""
+ connection_tx_interface_match_source_ip: bool | None
+ """Match source interface of the IPsec connection."""
_custom_data: dict[str, Any]
if TYPE_CHECKING:
@@ -17143,6 +17146,7 @@ def __init__(
profiles: Profiles | UndefinedType = Undefined,
key_controller: KeyController | UndefinedType = Undefined,
hardware_encryption_disabled: bool | UndefinedType = Undefined,
+ connection_tx_interface_match_source_ip: bool | None | UndefinedType = Undefined,
_custom_data: dict[str, Any] | UndefinedType = Undefined,
) -> None:
"""
@@ -17171,6 +17175,7 @@ def __init__(
hardware_encryption_disabled:
Disable hardware encryption.
An SFE restart is needed for this change to take effect.
+ connection_tx_interface_match_source_ip: Match source interface of the IPsec connection.
_custom_data: _custom_data
"""
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
index 54b86f4b634..5acc5cf0cb0 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
+++ b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
@@ -6020,6 +6020,9 @@ keys:
description: 'Disable hardware encryption.
An SFE restart is needed for this change to take effect.'
+ connection_tx_interface_match_source_ip:
+ type: bool
+ description: Match source interface of the IPsec connection.
ip_ssh_client_source_interfaces:
type: list
items:
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/ip_security.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/ip_security.schema.yml
index bb0153ed4eb..354901442bf 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/ip_security.schema.yml
+++ b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/ip_security.schema.yml
@@ -198,3 +198,6 @@ keys:
description: |-
Disable hardware encryption.
An SFE restart is needed for this change to take effect.
+ connection_tx_interface_match_source_ip:
+ type: bool
+ description: Match source interface of the IPsec connection.