Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Isaac_Hamann
Explorer

Having multiple External addresses for IPsec

I have a 4000 series appliance on r77.30 that is our externally facing gateway.

Our ISP is forcing us change all of our public IP addresses (yay me).

We have quite a few IPsec tunnels for vendors, remote locations, etc... 

I'd like to find a way to simultaneously use both the old address and the new one for IPsec so that I can transition the tunnels one-by-one and not update every vendor simultaneously. In time, I could remove the old address entirely.

I have an external interface configured with the new address and it is able to ping externally.

Here's a breakdown:

1.1.1.1 - current address for IPsec

2.2.2.2 - new address that will be for IPsec

Tunnel 1- vendor ABC

Tunnel 2- vendor XYZ

Current setup-

Tunnels 1 and 2 are pointed at 1.1.1.1

Desired setup- 

Tunnel 1 -> pointed at 1.1.1.1

Tunnel 2 -> pointed at 2.2.2.2

Both tunnels running simultaneously without interruption.

This is a live environment so the lower the impact, the better.

Any advice is appreciated...

Thanks! 

0 Kudos
7 Replies
_Val_
Admin
Admin

CP support multiple external interfaces for both VPN and cleat text traffic, look for ISP redundancy articles. Maintaining multiple S2S IPSec tunnels on both external interfaces is possible, but require some additional efforts to configure. The working solution should be a route-based VPN. To start looking into this, go to sk35560. 

However, there is a caveat.

I assume you are using a simplified Domain Based S2S VPNs, and the remote VPN GWs are under someone else's management. In such a case I would strongly advise you to consider alternative IP migration scenarios, as moving from a Domain Based to Route Based VPN (VTIs or not) will only add complexity to your environment. In case you are not managing the remote GWs in the tunnels, you will also have to ask your VPN partners to reconfigure their sides.

kamalive
Explorer

I find myself in the same situation. How did you end up going about it if I may ask?

0 Kudos
Florin_Dumitru
Participant

Have you found a solution? If yes, can you share it?

Capita_Network_
Explorer

Did anyone get a solution to this issue, can you please share ?

Florin_Dumitru
Participant

I forgot to reply to the post, but I did find a solution that has been in use for a couple of years now.

Basically, I got a 1590 (with LTE) connected to the Internet via 4G (LTE interface - dynamic IP) and via WAN (DHCP) to a broadband satellite (almost fixed IP) - two different ISP's. Each external interface has an IPSEC tunnel to a different company. Over the 4G interface I've setup a certificate based VPN (dynamic IP) as it was the only way to do it (plus I manage both ends of the tunnel) and over the WAN interface a regular IPSEC VPN. Both are domain based VPN's. PBR was also necessary.

0 Kudos
vivekumar1988
Participant

Hi , Did anyone got the working solution for this ?  2 different IPSEC tunnel for 2 different customer over 2 different outgoing/ External interfaces  ??? 

 

IvoryHoward
Explorer

hello! I need the solution 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events