IPSec tunnel interface for same interface WAN and remote adress 0.0.0.0

Question

Hello, 
 
 Is there a way to configure a VPN tunnel interface scenario, using the same WAN interface to receive the connection from remote points? 
 
 In this case, I have only 1 internet link on site A with a fixed IP, and I have several remote branches with internet links with dynamic IP, so I would like to use SD in the branches, to control VPN traffic based on criteria defined in the SDWAN profile (latency, jitter). 
 
 However, I came across the following problem: do I need to have only 1 tunnel interface on site A to receive the connection from all branches? Or do I need to have 1 tunnel for each branch? as the remote IPs are dynamic, I cannot set them in the site A tunnel and as I only have 1 internet link in the head office, I cannot create more than 1 tunnel, as it conflicts with the existing tunnel! 
 
 Using only 1 tunnel at site A, when the primary VPN at the remote branch goes down, the tunnel interface at site A goes into "down" mode, and this drops communication

Sreenivasulu Naidu · Answer

You need two route based tunnels on Site A from each remote site having two ISPs. 
 Use v20 on SFOS that supports * notation on remote gateway on Responder node for route based tunnels, use IKEv2 alongwith ID filed (either LocalID or RemoteID or both). If you are prior to v20.GA, you can still try out using 0.0.0.0 for remote gateway on Responder node along with LocalID/RemoteID, but we suggest to go with v20.0.GA

Sreenivasulu Naidu · Answer

Ok, two rbvpn tunnels with remote gw=0.0.0.0 is not allowed as it fails the duplicate check of local and remote gateways. Having single ISP on siteA does not limit creating two rbvpn tunnels form each of the far end sites provided dynamic dns for the Branch Office dynamic IP is available. BO-----------HO ------------ On HO, your 1st rbvpn tunnel towards BO will have local gw=ISP-A, remote gw=dynamicIP of ISP-B, 2nd rbvpn tunnel towards BO will have local gw=ISP-A, remote gw=dynamicIP of ISP-C; Since the dynamci IP of ISP-B or ISP-C are changing in nature, you would have to go with dynamic DNS FQDN for ISP-B and ISP-C that can be respectively used for remote gw on HO so that the tunnel combination (local gw and remote gw on HO) is unique for each tunnel even though only 1 ISP with fixed IP on Site-A.

apijnappels · Answer

Short answer: you need a tunnel for each branch connecting to site A. In older firmware versions you need to have the same PSK if you use * as the peer IP-address, in newer versions you can still configure different PSK for different sites. 
 As for the multiple connections coming from the same site (ISP1, ISP2) you can use SDWAN rules in the branch offices to select either ISP1 or ISP2, in Site A I think you could still get away with just 1 tunnel for each branch office, altough if these branch offices had 2 fixed IP's you would need 2 tunnels, one for each fixed IP.

IPSec tunnel interface for same interface WAN and remote adress 0.0.0.0

Top Replies