Aha, that's what I thought

irakli_n · ‎06-06-2016

Here is the question: there are two devices - Cisco 1921 and Cisco 800 series boxes. Both of devices have single WAN IP and multiple internal IPs/VLANs.

Is it possible to establish multiple IPSec tunnels between these two devices and have different traffic encapsulated inside them? As an example:

1921:

WAN IP - 172.16.100.1

Internal IPs/VLANs: 10.97.2.1/24, 10.97.4.1/24

800:

WAN IP - 172.20.15.1

Internal IPs/VLANs: 10.97.102.1/24, 10.97.104.1/24

Requirement is to form two VPN tunnels allowing 10.97.2.0<->10.97.102.0 and 10.97.4.0<->10.97.104.0 traffic inside them.

Philip D'Ath · ‎06-06-2016

You can only have one SA (aka VPN), but it can include multiple subnets.

If you were using an an access-list (which you probably are for the crypto domain), it would simply be something like:

access-list 110 permit ip 10.97.2.0 0.0.0.255 10.97.102.0 0.0.0.255
access-list 110 permit ip 10.97.4.0 0.0.0.255 10.97.104.0 0.0.0.255

irakli_n · ‎06-06-2016

Aha, that's what I thought regarding SAs. I can include the multiple subnets in the above scenario, but in another deployment - encapsulation of L2TPv3 tunnel inside IPSec - that's problematic.

Last question - to form separate SAs do both endpoints have to have different WAN IPs or just one endpoint with 2 WAN IP is sufficient?

Philip D'Ath · ‎06-06-2016

Each SA must have a unique (source,destination) VPN termination IP address. So yes, to have separate SA's at least one of the WAN IP addresses must be different.

Multiple IPSec Tunnels between two endpoints, both of them with single WAN IP - possible?