topic Re: IPSEC issues with existing network in Network Security

IPSEC issues with existing network

JNCloud — Wed, 27 Mar 2024 15:11:13 GMT

Hello I am working with a network that has currently 10 router nodes using IPSec tunneling to communicate and encrypt packets between the 10 router nodes over a wan. Using 140.0.0.0/30 (64 tunnels total) for IPSec Tunneling I have consumed almost all the allowable tunnels on my current set up. The issue i have is i need to add 7 more router nodes to this network and I don't have enough IPSec tunnels to expend too. I am restricted to the a single IP range above. What I understand is IPSec is mainly point to point. For this network in question i only need to accomplish the following:

1. Establish Point to Multiple Connections for the 18 nodes

2. Keep the connections to the nodes encrypted so the WAN cant see the data.

I have also attached an image of Cisco Packet Tracer of my set up i am trying to simulate items in green are using the existing IPSec Configuration that i have do away with and the others. I am attempting to simulate it first before implanting with the real thing.

Any guidance is appreciated.

Re: IPSEC issues with existing network

Rob Ingram — Wed, 27 Mar 2024 15:24:48 GMT

@JNCloud what is the limitation exactly, physical hardware in a real environment or do you mean in restriction within packet tracer?

Dynamic VTI solution would be the best solution for a Hub and Spoke design, this could either be DMVPN or FlexVPN (Hub and Spoke) on Cisco routers or ASA/FTD both now support SVTI and DVTI from 9.19/7.3

Re: IPSEC issues with existing network

JNCloud — Wed, 27 Mar 2024 15:32:35 GMT

The limitation is i am out of IPSec Tunnels and i can't expand to another IP address allocation. So i am trying to learn a Encrypted point to multipoint solution using the same allocation i have. I have been reading on DMVPN but having some issues understanding how that is supposed to work. Where can i find some good examples of DMVPN or FlexVPN. My goal is to remove the IPSec layout and change it to a point to multipoint with encryption so that all 18 router notes can communicate with each other. If the DMVPN and FlexVPN are the right solutions to look into then. I think i just need some good source material to understand how to use them.

Re: IPSEC issues with existing network

Rob Ingram — Wed, 27 Mar 2024 15:38:11 GMT

@JNCloud but why are you out of IPSec tunnels? Why do you think another solution is not going to run into the same limitation?

Regardless here is the Cisco VPN reference guides:- https://www.cisco.com/c/en/us/support/docs/interfaces-modules/virtual-private-network-module/221568-vpn-technologies-documentation-reference.html

Re: IPSEC issues with existing network

MHM Cisco World — Wed, 27 Mar 2024 16:13:02 GMT

Instead of using mesh and use point to multipoint the best solution is GETVPN.

MHM

Re: IPSEC issues with existing network

JNCloud — Thu, 28 Mar 2024 19:12:23 GMT

Hello again, I am sorry if my inexperience is showing here, I am currently looking into the alternate solutions brought up in this thread. 10 of these nodes “Spokes” Already exist and we are adding 7 new nodes. If I keep the current network topology. I will have no more point-to-point tunnels I am restricted to a single Ip address using the /30 subnet so with that allocation I can only have 64 tunnels. Unless I am misunderstanding something due to my inexperience? I also have no control of the Network between my router nodes so as I am reading into DMVPN not sure this is the optimal solution right now but will continue to investigate DMVPN, FlexVPN, and GETVPN.

Do I need to have a Main/Host Router to assist with routing traffic, my equipment layout doesn't allow for this? Should I be able to configure as only spoke to spoke and get it to work?