Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1315
Views
0
Helpful
1
Replies

Multiple IPSEC tunnels between 2 end devices

abhishek.batapati
Level 1
Level 1

‎07-15-2016 11:55 AM - edited ‎02-21-2020 08:53 PM

I have a scenario where we need to establish multiple IPSEC tunnels between 2 devices of which One is Cisco ASR(IPSEC initiator).

In the scenario attached, ASR has multiple VRFs and we want to create IPSEC tunnel for each VRF and the other end is the same VIP. Because of this we are considering to use Certificates instead of PSK.

One certificate(Will be using different CN) will be used for each tunnel which will help in identifying which tunnel is from which VRF(Customer).

I'm thinking of VRF aware IPSEC should work in this scenario. But my concern is If ASR public interface does the NATing and what will happen to the Source PORTs(500/4500). I understand when there are multiple flows with same source port, NAT will change the Source PORT number and maintain in its table. Please help me in confirming/'with configs' If this scenario works or there are any better way to do it.

PS: F5 load balancer in our topology can only look into Layer 3 & 4 headers. I have multiple IPSEC terminators and I need load balalncing. So assuming Source PORT will be different for each tunnel initiated from ASR.

1 person had this problem
Labels:
Preview file
10 KB
0 Helpful
1 Reply 1

m.kafka
Level 4
Level 4

‎07-16-2016 05:47 AM

If the NAT occurs on the public interface and the tunnels are originated from the public interface NAT will not occur on the tunnel itself, only on the tunnel passengers.

IPsec (to my knowledge) allows only one ISAKMP/IKEv2 SA between two IPs. I can't think of a solution, having two ISAKMP/IKEv2 SAs in parallel between to IPs. GRE could support that by configuring a tunnel-ID but ISAKMP/IKEv2 doesn't support this.

In my eyes the cleanest solution would be to use VTIs on the ASR and associate each tunnel interface with a vrf. Specify a loopback as a tunnel source so the ISAKMP/IKEv2 SAs have distinctive IPs and use tunnel-mode IPsec with a tunnel protection profile.

Draw-back: you would need at least one additional public address If one of the VTIs uses the public interface IP and the other uses a loopback as a tunnel source.

My 2 cents, hope it helps a little.

Rgds, MiKa

0 Helpful
Customers Also Viewed These Support Documents