cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Blason_R
Silver

VPN Tunnel Management per Gateway Pair and consequences when I have multiple other tunnels

Hi Folks,

I have total around 12 VPN Tunnels running on 5900; all are Policy/Domains based VPN. I have been asked to move and see the possibiities one Tunnel out of those 12 to One VPN tunnel per Gateway Pair. 

Wondering what could be the consequences on other tunnels then? Since I know One VPN tunnel per Gateway pair means CP will start sending/accepting 0.0.0.0/0.

TIA

Blason R

0 Kudos
3 Replies
Highlighted

Re: VPN Tunnel Management per Gateway Pair and consequences when I have multiple other tunnels

Where did you learn that 0.0.0.0 thing ? According to Site to Site VPN Administration Guide R80.30 p.94 :

VPN Tunnel Sharing provides greater interoperability and scalability by controlling the number of VPN tunnels created between peer Security Gateways. Configuration of VPN Tunnel Sharing can be set on both the VPN community and Security Gateway object. 

One VPN Tunnel per each pair of hosts - A VPN tunnel is created for every session initiated between every pair of hosts. 

One VPN Tunnel per subnet pair- Once a VPN tunnel has been opened between two subnets, subsequent sessions between the same subnets will share the same VPN tunnel. This is the default setting and is compliant with the IPsec industry standard. 

One VPN Tunnel per Security Gateway pair - One VPN tunnel is created between peer Security Gateways and shared by all hosts behind each peer Security Gateway. 

0 Kudos
Blason_R
Silver

Re: VPN Tunnel Management per Gateway Pair and consequences when I have multiple other tunnels

Surprising!! I last time done the debug and vpnd.elg was showing 0.0.0.0/0 and setting was One VPN Tunnel Per Gateway pair.  I guess even @PhoneBoy has suggested it to move to per subnet pair and it resolved.

 

0 Kudos
Blason_R
Silver

Re: VPN Tunnel Management per Gateway Pair and consequences when I have multiple other tunnels

So in that case it should not be an issue moving to that setting for one tunnel, right?

0 Kudos