Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
5
Helpful
2
Replies

VPN Specific Routing

Go to solution
KyleMPDI
Level 1
Level 1

‎09-08-2021 02:20 AM

Hi All,

 

I work for an MSP, where we host virtual environments for customers, and each customer is hosted behind a dedicated virtual ASA, which we then build IPSEC tunnels from whatever device they have in their office, to the ASAv in our data center. 

 

One customer wanted the VPN to their corp office to use 0.0.0.0/0 as the remote subnet. So our side of the tunnel is 192.168.1.0/24 and their side is 0.0.0.0/0. Yes, this has caused all the problems you can imagine it would. They would now like us to add a second tunnel to a different endpoint, and terminates to a specific network, 10.1.1.0/24. 

 

Is there a way to set this up without changing the first tunnel to be specified networks? Is there a way to put in route statements, or prioritize which tunnel gets used first? I've had the discussion with the customer many times about terminating to 0.0.0.0/0 everytime they complain that something doesn't work from a network or internet perspective, but they still refuse to name networks on the first tunnel, because they don't want to have to change the tunnel any time the spin up a new network or remote site on their side. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-08-2021 02:32 AM

@KyleMPDI 

The lower the sequence number, the higher the priority - so ensure the second tunnel has a lower sequence number than the original tunnel (0.0.0.0/0), then traffic will only be routed over the original tunnel if it doesn't match any of the other sequence numbers with a better priority.

 

 

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎09-08-2021 02:32 AM

@KyleMPDI 

The lower the sequence number, the higher the priority - so ensure the second tunnel has a lower sequence number than the original tunnel (0.0.0.0/0), then traffic will only be routed over the original tunnel if it doesn't match any of the other sequence numbers with a better priority.

 

 

Go to solution
KyleMPDI
Level 1
Level 1

‎09-08-2021 02:50 AM

That was what I was suspecting. We will give it a try, thank you very much!

0 Helpful
Customers Also Viewed These Support Documents