Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
938
Views
0
Helpful
5
Replies

Multiple IPsec tunnel

theerapongpomp
Level 1
Level 1

‎01-20-2021 12:15 AM - edited ‎01-20-2021 02:34 AM

Hi Everyone,

 

I have a question about using multiple IPsec tunnel.

Below is a simple diagram that I think to implement.

 

1. I have 2 sites connecting over internet. I want to connect them with IPsec tunnel. (not use GRE or VTI tunnel)

2. I peer them with 4 tunnels as shown.

3. I use BGP routing which is forming neighbor over IPsec tunnel and I control BGP metric to redundant the tunnels.

4. All the IPsec tunnel have the same acl configured the same interest traffic.

 

My question is it possible to do that?

I'm not sure how it is working behind multiple IPsec tunnel like this.

 

 

Capture.PNG

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎01-20-2021 12:21 AM

@theerapongpomp 

What hardware are you implementing this on? ASA, FTD or IOS-XE router?

If you wish to establish a BGP adjacency between peers you'd need to use a tunnel interface (route based VPN) not a crypto map (policy based VPN).

0 Helpful

theerapongpomp
Level 1
Level 1
In response to Rob Ingram

‎01-20-2021 12:45 AM - edited ‎01-20-2021 02:35 AM

I use cisco WS-C3650-24TS for SW1 and SW2 and  SW3 and SW4 are switch in cloud.

 

The C3650 also has limitation configured tunnel interface because of I have only ipservice license. So that seems route-base vpn cannot be used.

0 Helpful

Rob Ingram
VIP
VIP

‎01-20-2021 12:54 AM

IPSec is not supported on 3850

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc07091/?rfs=iqvred

 

I suggest you purchase the right hardware for this scenario, either a firewall or a router.

0 Helpful

theerapongpomp
Level 1
Level 1
In response to Rob Ingram

‎01-20-2021 01:00 AM

Hi  Rob,

 

This is also  WS-C3650-24TS? I see the bug mensioned only 3850.

0 Helpful

Rob Ingram
VIP
VIP

‎01-20-2021 01:28 AM

More than likely yes, I believe the 3850/3650 share the same code. Unfortunately the switches had the syntax to enter a lot of commands the hardware didn't actually support. I've never seen a document or guide from cisco on using a VPN on a switch, so use a router or a firewall.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents