Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
5
Replies

main IPSEC vpn sever and several remote clients

Go to solution
francisco.trigo
Level 1
Level 1

‎01-01-2017 08:25 PM - edited ‎02-21-2020 09:06 PM

Hi there!

I'm trying to found the best practice to implement a main VPN IPSEC server site. And connect several routers as client to this main site.

I successfully test a site to site VPN IPSEC using the tunnel concept. But now I want to connect several routers to one that act as my main site.

The main site is the only one that have an assigned hostname. All the remotes will have dynamic IP and are behind a NAT server router so I can't use this address as "tunnel destination".

I must set the remote destination at the main site tunnel-by-tunnel ?

I some practice to let to the remotes "dials" to the main site?

Best Regards

Frank

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to francisco.trigo

‎01-02-2017 11:49 PM

Right! Is your hub behind a NAT? Then you don't even need ESP (IP/50) in your ACL as that is also encapsulated in UDP/4500.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
francisco.trigo
Level 1
Level 1
In response to Karsten Iwen

‎01-02-2017 04:49 PM

I will start to test!

I must use GRE in this config so i keep testing!

Best Regards!

Frank

0 Helpful

Go to solution
francisco.trigo
Level 1
Level 1
In response to francisco.trigo

‎01-02-2017 05:20 PM

Nat config is 500&4500 UDP rigth?

Thanks!!!!

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to francisco.trigo

‎01-02-2017 11:49 PM

Right! Is your hub behind a NAT? Then you don't even need ESP (IP/50) in your ACL as that is also encapsulated in UDP/4500.

0 Helpful

Go to solution
francisco.trigo
Level 1
Level 1
In response to Karsten Iwen

‎01-03-2017 11:05 AM

Thank you Karsten

For now the tunnel is established and I can ping local and remote tunnels. I'm using as destination from both tunnels the hostname assigned to the public IP address.

I'm using a DDNS client running at the same routers to get the actual Wan address.

If this protocol runs over UDP, it have a keep-alive mechanism to know where the tunnels fails correct? (I'm think in the moment that the public IP change and the hostname do not have the IP address actualized) It's recovery by it self right?

For now i'm trying to decode the template that will the assigned to each new tunnel when the isr-client ask for a new connection to the server.

Best Regards!

Frank

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents