Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
2
Helpful
3
Replies

L2L VPN over SD-WAN using transport mode

Chess Norris
Level 4
Level 4

‎12-05-2023 08:18 AM

Hello,

I have a customer that have a branch office in China. Before they was using a direct L2L VPN between the branch office and HQ, but a while ago the VPN stopped working and is no longer an option due to government restrictions (great firewall of China).

Instead, the customer purchased a SD-WAN solution and the connection between branch office and HQ is now working again, but we want to encrypt this traffic by building a new L2L VPN tunnel over the SD-WAN link. 

The problem is that we need to tell the SD-WAN carrier exactly which networks we want them to route over the SD-WAN link and since the traffic will be encrypted, the carrier will not see the IP addresses so the tunnel will newer comes up.

I was thinking of using IPSec transport mode instead of tunnel mode because then the IP headers are not encrypted and the IP addresses should be visible, but I am not sure if this is supported on FTD devices, maybe by using flex VPN?

If tunnel mode is not supported on FTD devices, does anyone know how we can solve/workarround this issue?

Thanks

/Chess

 

Labels:
0 Helpful
3 Replies 3

MHM Cisco World
VIP
VIP

‎12-10-2023 04:34 AM

Hi friend 

SD-WAN is use IPsec or GRE' 

Do you meaning the SD-WAN use GRE and you want to secure traffic but add IPSec over GRE of SD-WAN?

In end SD-WAN is like any WAN' so if you have FW then make IPSec use outside of FW's as source and destiantion of IPSec.

MHM

Chess Norris
Level 4
Level 4

‎12-11-2023 11:05 PM

I think the problem is that the Chinese ISP need to know exactly which subnets to route over the SD-WAN. Since the firewall will encrypt the traffic when we add a IPSec tunnel, the ISP will not see the source/destination IP addresses and therefore the traffic will never reach the SD-WAN. At least that's my theory why it wont work. Transport mode might help here, but not sure.

Thanks

/Chess

0 Helpful

MHM Cisco World
VIP
VIP
In response to Chess Norris

‎12-11-2023 11:20 PM

FW-SDWAN(cedge/vedge)-ISP-SDWAN(cedge-vedge)-other site Router or FW 

the SDWAN will advertise the prefix of link connect vedge/cedge to other site SDWAN vedge/cedge
you want to config IPsec between your FW to other router/FW in other Site?
if Yes then only use FW to SDWAN interface as Peer address of your IPsec. 
in end the IPsec use this IP as outer IP head and this IP is reachable via SDWAN, the SDWAN then NAT or also encapsulate inside GRE or IPSec.
ISP only need to know the SDWAN outer head of it IPsec/GRE not need to know FW IP.
MHM

Customers Also Viewed These Support Documents