IPsec Tunnel Discussion

Dear All,

I do hope you all are doing well. I am having something in my mind which I would like to discuss with you all. Please kindly bare with me for a while.

 

I would like to nAT the traffics from site1 to 1.1.1.3/32 before being transferred to IPSEC tunnel so, that site 2 doesn’t aware of the networks behind site1.

I would also like to know if it is possible to source the tunnel from 1.1.1.3 which is not assigned to any interfaces on site1 router.

Best Regards,

Ronnie

Hi Ronnie,

Technically it might be possible but I wouldn’t recommend doing this. Maybe you can use it to ‘hide’ the IP addresses of site1 but by adding NAT you might run into other issues.

When you specify a tunnel source, it should be an IP address that is used on an interface.

Rene

Hi Rene,

Thank you for your quick response. What happen if I am having a range of public IP address (1.1.1.0/24) where I am only assigning one ip address (1.1.1.2/24) to the WAN interface ? Let’s say, I would like to setup 5 tunnels. Do I need to source all 5 tunnels from single WAN IP ? Or I need to have 5 loopback interface ?

BTW, how many tunnels(IPsec) can I setup on one public IP ?

I might be asking silly question :slight_smile: But I really would like to know.

 

Best Regards,

Ronnie

Hi Ronnie,

If you use GRE tunnels then you can have only one tunnel with the same source/destination. I think you can get around this by using tunnel keys though. I think it’s also possible to assign a secondary IP address to your WAN interface and use that. You can’t assign an IP address from your WAN interface on a loopback since it’s the same subnet.

When you use IPsec, an IKE security association is established between a source/destination. You could establish another one using different addresses if you want but it’s not a common thing to do.

Rene

Hi Rene,

You are right that we can’t assign the two interfaces on router with the ip addresses in the same subnet. I overlooked this.

BTW, I have done the lab as attached. Where I am natting the traffic from Site A before being passed via the tunnels to Site B & C.

Is it very common having multiple tunnels on one public ip address ?

Ronnie

 

Hi Ronnie,

Good to hear you got it working, just keep in mind that translating lan-to-lan traffic doesn’t sound like a good idea :slight_smile:

Having multiple tunnels on one interface is common yes. A good example is a network where you have one main office and multiple branch offices. On the router at the main office you will have multiple tunnels to each branch office and you can use the same public IP address for this.

Rene