Can I bind one VTI interface to multiple ipsec peers?

blason16 · May 28, 2024, 9:18am

Hi Team,

Can someone pleae confirm if below configuration is valid? I have vyos with two ISP links and I going to configure 3 IPsec peers. Lets say mine is HO

HO Vyos
ISP 1 - 1.1.1.1
ISP2 - 2.2.2.2
vti1 - 169.254.1.1 (ISP1)
vti2 - 169.254.2.1 (ISP2)

At spoke level site 1

Spoke vyos
ISP1 - 3.3.3.3
ISP2 - 4.4.4.4
vti1 - 169.254.1.2 (ISP1)
vti2 - 169.254.2.2 (ISP2)

Spoke 2

ISP1 - 5.5.5.5
ISP2 - 6.6.6.6
vti1 - 169.254.1.3 (ISP1)
vti2 - 169.254.2.3 (ISP2)

Now tunnels are configured between HO → Spoke 1 and HO → Spoke 2 with BPG peering
Can I configure something like this?

169.254.1.1 > 169.254.1.2
169.254.1.1 > 169.254.1.3

169.254.2.1 > 169.254.2.2
169.254.2.1 > 169.254.2.3

I.e. on HO

set vpn ipsec site-to-site peer 3.3.3.3 vti bind 'vti1'
set vpn ipsec site-to-site peer 5.5.5.5 vti bind 'vti1'
set vpn ipsec site-to-site peer 4.4.4.4 vti bind 'vti2'
set vpn ipsec site-to-site peer 6.6.6.6 vti bind 'vti2'