Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 1912 views
  • Users 0 members are here
Options
Suggested

Routed Based IPsec Tunnel Interfaces

roopeess

Hi,

I can see a few changes on site to site tunnel-based VPN. I was quite happy to see that IPsec can itself inject routes directly even on tunnel mode when local and remote subnets are defined. I would be very much happy if there were ways to define route weights keeping both the tunnel on active state, it would solve most of the IPsec failover/fallback issues that I currently face with most of the deployments having multiple links. We have a way around configuring tunnel interface, have IP configured on it and run routing protocol on top of it but that is just a long process and really hard when we have multi vendors devices at the customer end and most of the time customer doesn't want to go through that path also.

Any better ways to do IPsec tunnel failovers/fallback/load-balancing coming on v19, should be something on base license?

Regards,

Rupesh

Parents Reply Children
  • 0 in reply to LuCar Toni

    Not possible until we change VPN settings with any as local and remote subnet and IP are defined on XFRM interface. Without IP address, we don't even get the interface listed while creating the custom gateway.

    As I understand once local and remote subnets are applied on IPsec, it does inject the route on routing table and all I want was to keep distance for those routes if possible or way to put VPN active/connected every time and route traffic as decided by routing table or defined weight.

  • 0 in reply to roopeess

    Basically there are two different constructs of IPsec:

    Route based and Policy based. 
    Policy Based means, the IPsec tunnel will be build based on the remote/local networks. The SAs are build based on that.

    Route based uses (generally speaking) ANY and build a VTI (XFRM interface). 

    If you migrate from V18.5 to V19.0 there is a issue with the migration of the existing tunnel. Sometimes you have to "reenter" ANY into the local / remote subnets in Route based VPN. 

    In V19.0 you can specify the local/remote subnets in a route based Tunnel, if you want, but you dont have to. 

    __________________________________________________________________________________________________________________

  • 0 in reply to roopeess

    with v19 we have two options in RBVPN

    a. Vanilla RBVPN (prior to v19 version) 

    b. Additional RBVPN with traffic selectors option (from v19), which takes care of Auto route insertion. One cannot user this IPsec tunnel in SD-WAN as it’s a different way of routing.

  • 0 in reply to Alok

    Was just hoping if there could be something to change weights on the routes.

Unfiltered HTML