06-06-2016 01:15 AM - edited 02-21-2020 08:50 PM
Here is the question: there are two devices - Cisco 1921 and Cisco 800 series boxes. Both of devices have single WAN IP and multiple internal IPs/VLANs.
Is it possible to establish multiple IPSec tunnels between these two devices and have different traffic encapsulated inside them? As an example:
1921:
WAN IP - 172.16.100.1
Internal IPs/VLANs: 10.97.2.1/24, 10.97.4.1/24
800:
WAN IP - 172.20.15.1
Internal IPs/VLANs: 10.97.102.1/24, 10.97.104.1/24
Requirement is to form two VPN tunnels allowing 10.97.2.0<->10.97.102.0 and 10.97.4.0<->10.97.104.0 traffic inside them.
06-06-2016 01:51 AM
You can only have one SA (aka VPN), but it can include multiple subnets.
If you were using an an access-list (which you probably are for the crypto domain), it would simply be something like:
access-list 110 permit ip 10.97.2.0 0.0.0.255 10.97.102.0 0.0.0.255
access-list 110 permit ip 10.97.4.0 0.0.0.255 10.97.104.0 0.0.0.255
06-06-2016 02:41 AM
Aha, that's what I thought regarding SAs. I can include the multiple subnets in the above scenario, but in another deployment - encapsulation of L2TPv3 tunnel inside IPSec - that's problematic.
Last question - to form separate SAs do both endpoints have to have different WAN IPs or just one endpoint with 2 WAN IP is sufficient?
06-06-2016 01:52 PM
Each SA must have a unique (source,destination) VPN termination IP address. So yes, to have separate SA's at least one of the WAN IP addresses must be different.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide