Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nycc3883
Explorer

Multiple WAN IP for IPSEC

Jump to solution

I have 5 public static IP.

1 IP attach cluster, 2 IP attach each member.

Remaining 2 IP, i would like to use it as IPsec to serve as primary and secondary.

Is it possible? Please advise

0 Kudos
1 Solution

Accepted Solutions
Danzaroonie
Explorer

Might be able to use Gaia Policy-Based routing...(just a thought)

You can define x2 default routes for ISPA and ISPB, However you still need to define the cluster topology information correctly.

The Policy-Based routing table will also have to be manually defined for each connected network. (bit of a pain if you have a few).

As an example...(I have done this for a customer that wanted a DMZ routed out a specific ISP, so can't see why this would not work in the same manner)

Client A - 10.100.0.0/24 would always route out of ISPA

Client B - 10.200.0.0/24 would always route out of ISPB

regards

Dan

 

View solution in original post

0 Kudos
9 Replies
Maarten_Sjouw
Champion
Champion
Where would you want to assign those extra IP's?
When the Cluster is running the VPN's you use the cluster IP to terminate the VPN on and the 2 members will utilize that IP whenever they are the active member.
Regards, Maarten
0 Kudos
nycc3883
Explorer

Yeah, this is one of the thing which i want to know, is there anywhere that i can attach these public ip.

0 Kudos
FedericoMeiners
Advisor

Can you tell us what's your use case?

In other words: What are you trying to achieve by having two IPs from the same prefix and same ISP for IPSEC VPNs?

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
nycc3883
Explorer

What i want to achieve is, in my environment i have separate entity company.

They are using the same Infra, but the network inside are separated, not communication with each other.

So for this, i would like to also separate the public ip that the user from external point to them.

For example,:

User from company A point to this public ip to access their company resources

User from company B point to a different public ip than company A to access their company resources.

0 Kudos
PhoneBoy
Admin
Admin
Pretty sure you can't do what you're describing without using VSX on your gateways.
Each company would have its own VS (virtual system, i.e. firewall) each with its own access policy and public IP.
0 Kudos
nycc3883
Explorer

I thought so too. 

Just verifying whether is there alternative solution to these as the support is taking long time to assist on troubleshooting.

0 Kudos
Danzaroonie
Explorer

Might be able to use Gaia Policy-Based routing...(just a thought)

You can define x2 default routes for ISPA and ISPB, However you still need to define the cluster topology information correctly.

The Policy-Based routing table will also have to be manually defined for each connected network. (bit of a pain if you have a few).

As an example...(I have done this for a customer that wanted a DMZ routed out a specific ISP, so can't see why this would not work in the same manner)

Client A - 10.100.0.0/24 would always route out of ISPA

Client B - 10.200.0.0/24 would always route out of ISPB

regards

Dan

 

View solution in original post

0 Kudos
nycc3883
Explorer

Thanks for the sharing.

Will explore on this.

0 Kudos
Chris_Hoff
Contributor

I would have to agree with Phoneboy that if you are wanting to keep them isolated, you would need to utilize VSX. Beyond the issue of IPs/Isolation, how are you planning to authenticate the users (I am assuming remote access based on your "user" verbiage above)? With a single Gateway/cluster, you are not going to be able to use different authentication methods. 

Are you planning to use the Mobile Access Blade (i.e. SSL VPN)? Or are you planning to use the Endpoint Client? 

0 Kudos