Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
631
Views
0
Helpful
1
Replies

Seperate different IPSec tunnels in same tunnel?

Johan Christensson
Level 1
Level 1

‎04-23-2013 03:52 PM - edited ‎02-21-2020 06:50 PM

Hi.

I have a question that I have been googling a bit, but I can't seem to find the awnser to, and it may well be that it's not possible.

Lets say that I have remote site with two networks, in this example called Vlan 10 and Vlan 20. I also have a central site with a server network. These two sites are connected togehter over an IPSec tunnel using a router (let's say a 2900) at each site. Between the router at the central site and the server network is a firewall (let's say an ASA device) placed.

Now, I would like to accomplish is that the two networks at the remote site should be seperated untill thay reach the firewall in the central site. That's not realy the problem as this can be solved using ACL's in the routers, but is it possible to let the two networks "meet" in the firewall at the central site rather then in the router at the remote site (R2)? The point would be that you only have to maintain the firewall rules/ACL's in the firewall in the central site rather at both the firewall and at each router at each remote site.

SeparatingVPNrouting.jpg

Best regards,

Johan Christensson

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎04-23-2013 05:58 PM

Hi,

I'd imagine it could be for example done by separating the 2 Vlan networks to their on VRFs on the local router. Then they would have their own routing tables and wouldnt be visible to eachother on the actual router.

Though in that case I think you would probably run into problems building the L2L VPN connection between the sites.

I kinda wonder if you could perhaps use IPsec L2L VPN and GRE and the VRFs on the router to achieve this. So that all traffic would be first routed from Vlan10 to the server site and then routed back to the Vlan20. The GRE would naturally require a separate router behind the ASA also as ASA cant do GRE.

Naturally if this setup is possible it would also consume extra bandwith when you see how the traffic would be flowing between the local Vlans.

I have not configure such a setup. Maybe I will test it at some point just out of interest

But I would imagine the first step to even make it possible for these 2 Vlans to use the L2L VPN to communicate with eachother would be to separate their routing tables to their own VRFs. How the connection from the Remote Site to the Server Site would be implemented would be a totally different matter. But I would imagine that it could include GRE + Dynamic routing. But as I said this would require a router behind the ASA also.

The above was the only thing that came to my mind. I might actually have the needed devices at home to simulate/lab this setup but dont know when/if I will try this out.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents