01-01-2017 08:25 PM - edited 02-21-2020 09:06 PM
Hi there!
I'm trying to found the best practice to implement a main VPN IPSEC server site. And connect several routers as client to this main site.
I successfully test a site to site VPN IPSEC using the tunnel concept. But now I want to connect several routers to one that act as my main site.
The main site is the only one that have an assigned hostname. All the remotes will have dynamic IP and are behind a NAT server router so I can't use this address as "tunnel destination".
I must set the remote destination at the main site tunnel-by-tunnel ?
I some practice to let to the remotes "dials" to the main site?
Best Regards
Frank
Solved! Go to Solution.
01-02-2017 12:17 AM
For scenarios like these you can use DVTIs:
Or if the Spokes need to communicate with each other, you can implement DMVPN:
01-02-2017 11:49 PM
Right! Is your hub behind a NAT? Then you don't even need ESP (IP/50) in your ACL as that is also encapsulated in UDP/4500.
01-02-2017 12:17 AM
For scenarios like these you can use DVTIs:
Or if the Spokes need to communicate with each other, you can implement DMVPN:
01-02-2017 04:49 PM
I will start to test!
I must use GRE in this config so i keep testing!
Best Regards!
Frank
01-02-2017 05:20 PM
Nat config is 500&4500 UDP rigth?
Thanks!!!!
01-02-2017 11:49 PM
Right! Is your hub behind a NAT? Then you don't even need ESP (IP/50) in your ACL as that is also encapsulated in UDP/4500.
01-03-2017 11:05 AM
Thank you Karsten
For now the tunnel is established and I can ping local and remote tunnels. I'm using as destination from both tunnels the hostname assigned to the public IP address.
I'm using a DDNS client running at the same routers to get the actual Wan address.
If this protocol runs over UDP, it have a keep-alive mechanism to know where the tunnels fails correct? (I'm think in the moment that the public IP change and the hostname do not have the IP address actualized) It's recovery by it self right?
For now i'm trying to decode the template that will the assigned to each new tunnel when the isr-client ask for a new connection to the server.
Best Regards!
Frank
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: