08-11-2020 02:57 AM
We would like to build a site to site vpn between our HQ and a branch office. The branch office has a firewall as default gateway to the internet connected to a DSL line. The VPN router (ISR931) should be connected to the firewall with a single interface. Is it possible to configure s2s ipsec VPN with a single homed router / single interface only? So the firewall sends traffic for the HQ to the VPN router and the VPN router builds the tunnel through the firewall to the HQ.
08-11-2020 06:30 AM
Yes, that is possible but it would be my least preferred option to make it work as it adds unnecessary complexity to your network. I would better one of these (from most to least preferred):
08-11-2020 06:31 AM
Hello @sven.falk ,
generally speaking the device where you terminate the site to site IPSEC VPN needs two logical interfaces.
In the branch office you should have a LAN switch that understands VLANs.
The VPN router can use a single physical interface with two VLAN based subinterfaces :
- one of them for communication with the firewall to send encrypted traffic over it
- the other one to communicate with the internal network in the branch office.
To be noted the site to site VPN could be configured directly on the firewall.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide