06-27-2023 02:29 AM - last edited on 07-05-2023 04:35 AM by Translator
I need some clarity regarding IPSEC connectivity requirement for the end-points. Is it possible to use single public IP on a router and build multiple IPSEC
tunnels
from different locations/ devices using the same public IP address, or it has to be different unique IP for each IPSEC connections, what is the best practice around this including any limitations.
Solved! Go to Solution.
06-27-2023 06:27 AM
Correct
06-27-2023 02:45 AM - last edited on 07-05-2023 03:55 AM by Translator
for legacy IPsec you need P2P one source and one destination BUT you can do
crypto map MHM 10 ipsec-isakmp
peer x.x.x.1
match address x.x.x.1
!
crypto map MHM 20 ipsec-isakmp
peer x.x.x.2
match address x.x.x.2
etc <<- add peer and different match address
then
interface x/x
ip address public IP
crypto map MHM
06-27-2023 05:29 AM - last edited on 07-05-2023 04:37 AM by Translator
Thanks MHM, need further input i.e. suppose we have a router with 50 IPSEC connections, in this case is it required to have 50 unique public IPs or is it possible to bind one public IP with all 50
tunnels.
Need understand fundamentally the configurations and concept for IPSEC and possible snippet of configuration if possible to understand.
06-27-2023 06:04 AM - last edited on 07-05-2023 03:57 AM by Translator
You need 50 public IP for
Peers
From your side you need only one public IP
06-27-2023 06:25 AM
Thanks MHM, so every IPSEC endpoint should be unique public IP, it can't be shared over multiple connections.
06-27-2023 06:27 AM
Correct
06-27-2023 08:17 AM - last edited on 07-05-2023 05:10 AM by Translator
I might not correctly understand your question, because using GRE/IPSec or VTI (using IPSec), you can have many
tunnels
using the same physical interface IP address. (I've done this many, many times.) This might seem contrary to what @MHM Cisco World is saying, that you cannot, so I suspect he and I have something different in mind, although he also wrote You need 50 public IP for
Peers
and "From your side you need only one public IP", which does agree with my experience. I.e. he and I might have the same in mind, but perhaps we don't fully understand "Is it possible to use single public IP on a router and build multiple IPSEC
tunnels
from different locations/ devices using the same public IP address . . .", and your later ". . . so every IPSEC endpoint should be unique public IP, it can't be shared over multiple connections." The latter, I would say, is incorrect.
He also showed using the (very) old method of using a
crypto map
but when using
tunnels
part of the
tunnel
configuration specifies the
tunnel's
local physical interface and the far side's destination IP.
(BTW, there was one device [6500/sup720?] that required you to use separate source IPs, which could be loopbacks.)
However, if you asking, between the same pair of hosts, can you have multiple
tunnels?
To that question, I would suspect, but don't know for sure, that the answer would be no.
Or, if you're asking, might two physical devices use the same IP, well possibly something like basic GRE might (?) work using a virtual IP (e.g. HSRP), as it's not stateful, but IPSec is session specific. I.e. two devices would need to share IPSec information for such a
tunnel
(not a feature I'm aware of).
06-27-2023 08:22 AM - last edited on 07-05-2023 04:00 AM by Translator
additional to what @Joseph W. Doherty mention, you can have multi SPOKEs behind same ONE PUBLIC IP (after
NATing
) but this case only in
DMVPN,
which have control message NHRP can help the HUB to know for which session this belong to.
but for legacy IPSec as I mention before you need unique public ip
06-27-2023 12:32 PM - last edited on 07-05-2023 04:20 AM by Translator
@MHM Cisco World, still unsure we're describing the same.
As, for example, a HQ router, it can have multiple
p2p tunnels (GRE/IPSec, VTI-IPSec and DMVPN),
all sharing one physical interface, with, if on the Internet, using a single public IP. Also, for such usage, you don't need
NAT/PAT
(as "internal/private" IP are encapsulated).
Here's a PT conf snippet:
interface Tunnel1
ip address 10.1.1.1 255.255.255.252
mtu 1476
tunnel source GigabitEthernet0/0/0
tunnel destination 1.1.1.2
interface Tunnel2
ip address 10.1.2.1 255.255.255.252
mtu 1476
tunnel source GigabitEthernet0/0/0
tunnel destination 1.1.1.3
interface GigabitEthernet0/0/0
ip address 1.1.1.1 255.255.255.0
Router#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
Router#ping 10.1.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/4/13 ms
interface Tunnel1
ip address 10.1.1.2 255.255.255.252
mtu 1476
tunnel source GigabitEthernet0/0/0
tunnel destination 1.1.1.1
interface GigabitEthernet0/0/0
ip address 1.1.1.2 255.255.255.0
Using just
GRE tunnels
(as PT, I believe, doesn't support IPSec), but it shows I can
ping
either far side
tunnel IP
using just one physical "public" IP on a router.
06-27-2023 12:36 PM - last edited on 07-05-2023 04:24 AM by Translator
please check
DMVPN
Spoke behind
NAT.
thanks
MHM
06-27-2023 07:45 PM - last edited on 07-05-2023 04:28 AM by Translator
please check
DMVPN
Spoke behind
NAT.
Were you directing that question to me?
If so, unclear what exactly should be checked. Further, I've never done
DMVPN
behind
NAT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide