07-15-2016 11:55 AM - edited 02-21-2020 08:53 PM
I have a scenario where we need to establish multiple IPSEC tunnels between 2 devices of which One is Cisco ASR(IPSEC initiator).
In the scenario attached, ASR has multiple VRFs and we want to create IPSEC tunnel for each VRF and the other end is the same VIP. Because of this we are considering to use Certificates instead of PSK.
One certificate(Will be using different CN) will be used for each tunnel which will help in identifying which tunnel is from which VRF(Customer).
I'm thinking of VRF aware IPSEC should work in this scenario. But my concern is If ASR public interface does the NATing and what will happen to the Source PORTs(500/4500). I understand when there are multiple flows with same source port, NAT will change the Source PORT number and maintain in its table. Please help me in confirming/'with configs' If this scenario works or there are any better way to do it.
PS: F5 load balancer in our topology can only look into Layer 3 & 4 headers. I have multiple IPSEC terminators and I need load balalncing. So assuming Source PORT will be different for each tunnel initiated from ASR.