Vpn with 2 remote subnet prefix

vpn
vti

#1

is it possible to configure a vpn tunnel with 2 remote subnet preifx?

what is the syntax? or should i just leave it all 0.0.0.0 /24


#2

That depend heavily which devices you are using. E.g. Cisco ASA uses policy based tunneling so you need to establish several tunnels, one for each network. Some devices supports multiple networks.

I prefer to use tunnel interfaces and route based IPSEC VPN tunnels. That gives me better flexibility. Basically you establish connection between networks using 0.0.0.0/0 network, route traffic towards tunnel interface. That way you can do routing changes without loosing connection.

Now, some will say that it is not secure solution because using network on Phase 2 makes it more secure. Prefixes were used long time ago when VPN tunnels were established between routers which did not have firewall on them. So it made sense to restrict communication to only certain networks. At the moment most of the IPSEC tunnels are established between two routers which has firewall functionality (at least some level) or between firewalls. So, why you do not establish simple tunnel which encrypts traffic and you limit networks based on routing and firewall rules.

Unfortunately I did not find guideline how to setup VTI tunnel and only document which I had is from Vyatta peroid


#3

VTI mode tunnel is easy to setup…if you already have classic IPsec tunnel.
1st, you need the interface
set interfaces vti vti0 address ‘10.255.255.1/30’

and peer definition goes like:
set vpn ipsec site-to-site peer authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer authentication pre-shared-secret JustGuess01
set vpn ipsec site-to-site peer connection-type ‘initiate’
set vpn ipsec site-to-site peer ike-group ‘IG001’
set vpn ipsec site-to-site peer ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer local-address
set vpn ipsec site-to-site peer vti bind ‘vti0’
set vpn ipsec site-to-site peer vti esp-group ‘TS001’


#4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.