Solved: Re: IPSEC EndPoints

Arvind kumar · ‎06-27-2023

I need some clarity regarding IPSEC connectivity requirement for the end-points. Is it possible to use single public IP on a router and build multiple IPSEC

tunnels

from different locations/ devices using the same public IP address, or it has to be different unique IP for each IPSEC connections, what is the best practice around this including any limitations.

MHM Cisco World · ‎06-27-2023

Correct

View solution in original post

MHM Cisco World · ‎06-27-2023

for legacy IPsec you need P2P one source and one destination BUT you can do

crypto map MHM 10 ipsec-isakmp 
peer x.x.x.1
match address x.x.x.1
!
crypto map MHM 20 ipsec-isakmp 
peer x.x.x.2
match address x.x.x.2

etc <<- add peer and different match address 

then 
interface x/x

ip address public IP 
crypto map MHM

Arvind kumar · ‎06-27-2023

Thanks MHM, need further input i.e. suppose we have a router with 50 IPSEC connections, in this case is it required to have 50 unique public IPs or is it possible to bind one public IP with all 50

tunnels.

Need understand fundamentally the configurations and concept for IPSEC and possible snippet of configuration if possible to understand.

MHM Cisco World · ‎06-27-2023

You need 50 public IP for

Peers

From your side you need only one public IP

Arvind kumar · ‎06-27-2023

Thanks MHM, so every IPSEC endpoint should be unique public IP, it can't be shared over multiple connections.

MHM Cisco World · ‎06-27-2023

Correct

Joseph W. Doherty · ‎06-27-2023

I might not correctly understand your question, because using GRE/IPSec or VTI (using IPSec), you can have many

tunnels

using the same physical interface IP address. (I've done this many, many times.) This might seem contrary to what @MHM Cisco World is saying, that you cannot, so I suspect he and I have something different in mind, although he also wrote You need 50 public IP for

Peers

and "From your side you need only one public IP", which does agree with my experience. I.e. he and I might have the same in mind, but perhaps we don't fully understand "Is it possible to use single public IP on a router and build multiple IPSEC

tunnels

from different locations/ devices using the same public IP address . . .", and your later ". . . so every IPSEC endpoint should be unique public IP, it can't be shared over multiple connections." The latter, I would say, is incorrect.

He also showed using the (very) old method of using a

crypto map

but when using

tunnels

part of the

tunnel

configuration specifies the

tunnel's

local physical interface and the far side's destination IP.

(BTW, there was one device [6500/sup720?] that required you to use separate source IPs, which could be loopbacks.)

However, if you asking, between the same pair of hosts, can you have multiple

tunnels?

To that question, I would suspect, but don't know for sure, that the answer would be no.

Or, if you're asking, might two physical devices use the same IP, well possibly something like basic GRE might (?) work using a virtual IP (e.g. HSRP), as it's not stateful, but IPSec is session specific. I.e. two devices would need to share IPSec information for such a

tunnel

(not a feature I'm aware of).

MHM Cisco World · ‎06-27-2023

additional to what @Joseph W. Doherty mention, you can have multi SPOKEs behind same ONE PUBLIC IP (after

NATing

) but this case only in

DMVPN,

which have control message NHRP can help the HUB to know for which session this belong to.
but for legacy IPSec as I mention before you need unique public ip

Joseph W. Doherty · ‎06-27-2023

@MHM Cisco World, still unsure we're describing the same.

As, for example, a HQ router, it can have multiple

p2p tunnels (GRE/IPSec, VTI-IPSec and DMVPN),

all sharing one physical interface, with, if on the Internet, using a single public IP. Also, for such usage, you don't need

NAT/PAT

(as "internal/private" IP are encapsulated).

Here's a PT conf snippet:

interface Tunnel1
 ip address 10.1.1.1 255.255.255.252
 mtu 1476
 tunnel source GigabitEthernet0/0/0
 tunnel destination 1.1.1.2

interface Tunnel2
 ip address 10.1.2.1 255.255.255.252
 mtu 1476
 tunnel source GigabitEthernet0/0/0
 tunnel destination 1.1.1.3

interface GigabitEthernet0/0/0
 ip address 1.1.1.1 255.255.255.0

Router#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms

Router#ping 10.1.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/4/13 ms

interface Tunnel1
 ip address 10.1.1.2 255.255.255.252
 mtu 1476
 tunnel source GigabitEthernet0/0/0
 tunnel destination 1.1.1.1

interface GigabitEthernet0/0/0
 ip address 1.1.1.2 255.255.255.0

Using just

GRE tunnels

(as PT, I believe, doesn't support IPSec), but it shows I can

ping

either far side

tunnel IP

using just one physical "public" IP on a router.

MHM Cisco World · ‎06-27-2023

please check

DMVPN

Spoke behind

NAT.

thanks
MHM

Joseph W. Doherty · ‎06-27-2023

please check

DMVPN

Spoke behind

NAT.

Were you directing that question to me?

If so, unclear what exactly should be checked. Further, I've never done

DMVPN

behind

NAT.