Routed Based IPsec Tunnel Interfaces

Hi,

I can see a few changes on site to site tunnel-based VPN. I was quite happy to see that IPsec can itself inject routes directly even on tunnel mode when local and remote subnets are defined. I would be very much happy if there were ways to define route weights keeping both the tunnel on active state, it would solve most of the IPsec failover/fallback issues that I currently face with most of the deployments having multiple links. We have a way around configuring tunnel interface, have IP configured on it and run routing protocol on top of it but that is just a long process and really hard when we have multi vendors devices at the customer end and most of the time customer doesn't want to go through that path also.

Any better ways to do IPsec tunnel failovers/fallback/load-balancing coming on v19, should be something on base license?

Regards,

Rupesh

0 LuCar Toni over 2 years ago

What about SD-WAN PBR? Could they solve your points with the SD-WAN monitoring of V19?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 roopeess over 2 years ago in reply to LuCar Toni

SD-WAN PBR won't even recognize the tunnel interface as a routable interface.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni over 2 years ago in reply to roopeess

Because you need to create a Gateway for this Interface. Then you can use the VTI for PBR.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 roopeess over 2 years ago in reply to LuCar Toni

Not possible until we change VPN settings with any as local and remote subnet and IP are defined on XFRM interface. Without IP address, we don't even get the interface listed while creating the custom gateway.

As I understand once local and remote subnets are applied on IPsec, it does inject the route on routing table and all I want was to keep distance for those routes if possible or way to put VPN active/connected every time and route traffic as decided by routing table or defined weight.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni over 2 years ago in reply to roopeess

Basically there are two different constructs of IPsec:

Route based and Policy based.
Policy Based means, the IPsec tunnel will be build based on the remote/local networks. The SAs are build based on that.

Route based uses (generally speaking) ANY and build a VTI (XFRM interface).

If you migrate from V18.5 to V19.0 there is a issue with the migration of the existing tunnel. Sometimes you have to "reenter" ANY into the local / remote subnets in Route based VPN.

In V19.0 you can specify the local/remote subnets in a route based Tunnel, if you want, but you dont have to.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Alok over 2 years ago in reply to roopeess

with v19 we have two options in RBVPN

a. Vanilla RBVPN (prior to v19 version)

b. Additional RBVPN with traffic selectors option (from v19), which takes care of Auto route insertion. One cannot user this IPsec tunnel in SD-WAN as it’s a different way of routing.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 roopeess over 2 years ago in reply to Alok

Was just hoping if there could be something to change weights on the routes.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel