S2S ipsec VPN with single interface / single homed router

sven.falk · ‎08-11-2020

We would like to build a site to site vpn between our HQ and a branch office. The branch office has a firewall as default gateway to the internet connected to a DSL line. The VPN router (ISR931) should be connected to the firewall with a single interface. Is it possible to configure s2s ipsec VPN with a single homed router / single interface only? So the firewall sends traffic for the HQ to the VPN router and the VPN router builds the tunnel through the firewall to the HQ.

Karsten Iwen · ‎08-11-2020

Yes, that is possible but it would be my least preferred option to make it work as it adds unnecessary complexity to your network. I would better one of these (from most to least preferred):

terminate the VPN on the firewall and don't use the router.
replace the firewall with the router and a DSL-modem
put the router for VPN-termination behind the firewall and the users behind the router.

Giuseppe Larosa · ‎08-11-2020

Hello @sven.falk ,

generally speaking the device where you terminate the site to site IPSEC VPN needs two logical interfaces.

In the branch office you should have a LAN switch that understands VLANs.

The VPN router can use a single physical interface with two VLAN based subinterfaces :

- one of them for communication with the firewall to send encrypted traffic over it

- the other one to communicate with the internal network in the branch office.

To be noted the site to site VPN could be configured directly on the firewall.

Hope to help

Giuseppe