Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
353
Views
0
Helpful
3
Replies

IPsec site-to-site VPN vs WAN

Tanma29
Level 1
Level 1

‎08-19-2022 12:10 AM

I'm new and trying to understand how the traffic decision would be made if following were the scenario,

Currently the client is connected through a MPLS ciruit + router, this circuit is set to decommission after 3 months due to low bandwidth utilization and they want us to setup a site to site IPsec VPN on our ASA which is facing the internet. This traffic would be only Inbound from their side IPs to ours, hence we will be using their public PAT as interesting traffic with many of our subnets.

Now if I deploy this tunnel, would the traffic still route through the dedicated WAN or would it switch to VPN right away and drop all connections coming from WAN circuit?

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎08-19-2022 12:33 AM

@Tanma29 without knowing your environment, I can only guess.

I imagine your traffic would still go via your MPLS, if you are using a dynamic routing protocol for routing traffic over the MPLS? If you do, only when the MPLS is decommissioned will those dynamically learned routes be removed from the routing table. All traffic would then normally be routed via the default route, which if that's your ASA then a VPN tunnel would be established (assuming the configuration is correct).

If that assumption is incorrect, please let us know more information about your environment.

0 Helpful

Tanma29
Level 1
Level 1
In response to Rob Ingram

‎08-19-2022 01:12 AM

@Rob Ingram  Thanks for the reply, Sorry let me explain little more about the current setup
The IPs (interesting client traffic) coming from VPN ASA are NATed internally and this NAT IPs are learned to our Datacenter through BGP. And yes WAN circuit routes are learnt via BGP from client facing edge router to our Datacenter.

So client side IPs(real IPs) are learnt directly through client edge router.

Their PAT from VPN is then internally Static NATed and this is learnt through BGP.

So if they initiate traffic towards one of our servers after I setup the IPsec tunnel, would it still prefer MPLS routes and come as real IPs or would they get PATed and reach us through VPN

 

 

 

 

0 Helpful

MHM Cisco World
VIP
VIP

‎08-19-2022 03:54 AM

Hi, depend on
if you receive Default route from the MPLS SP and you use default route in ASA 
then sure you will face some incorrect routing, 

0 Helpful
Customers Also Viewed These Support Documents