cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1892
Views
0
Helpful
3
Replies
irakli_n
Beginner

Multiple IPSec Tunnels between two endpoints, both of them with single WAN IP - possible?

Here is the question: there are two devices - Cisco 1921 and Cisco 800 series boxes. Both of devices have single WAN IP and multiple internal IPs/VLANs.

Is it possible to establish multiple IPSec tunnels between these two devices and have different traffic encapsulated inside them? As an example:

1921:

WAN IP - 172.16.100.1

Internal IPs/VLANs: 10.97.2.1/24, 10.97.4.1/24

800:

WAN IP - 172.20.15.1

Internal IPs/VLANs: 10.97.102.1/24, 10.97.104.1/24

Requirement is to form two VPN tunnels allowing 10.97.2.0<->10.97.102.0 and 10.97.4.0<->10.97.104.0 traffic inside them.

3 REPLIES 3
Philip D'Ath
Advisor

You can only have one SA (aka VPN), but it can include multiple subnets.

If you were using an an access-list (which you probably are for the crypto domain), it would simply be something like:

access-list 110 permit ip 10.97.2.0 0.0.0.255 10.97.102.0 0.0.0.255
access-list 110 permit ip 10.97.4.0 0.0.0.255 10.97.104.0 0.0.0.255

Aha, that's what I thought regarding SAs. I can include the multiple subnets in the above scenario, but in another deployment - encapsulation of L2TPv3 tunnel inside IPSec - that's problematic.

Last question - to form separate SAs do both endpoints have to have different WAN IPs or just one endpoint with 2 WAN IP is sufficient? 

Each SA must have a unique (source,destination) VPN termination IP address.  So yes, to have separate SA's at least one of the WAN IP addresses must be different.

Create
Recognize Your Peers
Content for Community-Ad