Re: Custom VPN Topology - VPN Specific Encapsulations

jamesduv9 · ‎04-12-2023

Greetings,

I'm looking for a sanity check, and possibly a smarter way to solve a problem I'm having. My goal is to have one VPN use only GRE encapsulation, and the second VPN use only IPSEC. These different VPNs have different security constraints and I'm trying to reduce overhead where possible. The topology is a typical hub and spoke network, my spokes share 4-6 vpn0 transports with the hub. Each of these tunnel interfaces is configured to stand up tunnels over both IPSEC and GRE.

I successfully solved the issue by using an outbound centralized policy that matches the VPN and sets the TLOCs to the exact TLOC needed. This seems more tedious and manual than it should be to solve this problem

Is there a simple way to match a VPN and all TLOCs with a specific encapsulation within a single policy? If so I can do an inbound centralized policy matching VPN 1, blocking IPSEC and matching VPN 2, and blocking GRE.

Appreciate your input!

Kanan Huseynli · ‎04-12-2023

Hi,

in centralized control policy for matching TLOC or TLOC list all 3 values are mandatory and there is no any option.

You may create two TLOC list, one for IPSec only TLOCs and another for GRE only TLOCs. Use these list in policy one time and that's all.

Each time you will have new TLOC, add it to list and it works (no need to touch policy itself).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

jamesduv9 · ‎04-13-2023

Thanks Kanan,

That's the same conclusion I came up with. I guess I was expecting there was some way to wildcard some of the values in the TLOC or TLOC list inside of the policy.

The solution scales well at the spoke policy, since I will almost always just point them to the hub tlocs, but at the hub policy it's looking like I'll need to add 6 entries per VPN per spoke. My TLOC lists will have 1000s of lines in my real deployment.