Re: Having multiple External addresses for IPsec

Isaac_Hamann · ‎2018-07-13

I have a 4000 series appliance on r77.30 that is our externally facing gateway.

Our ISP is forcing us change all of our public IP addresses (yay me).

We have quite a few IPsec tunnels for vendors, remote locations, etc...

I'd like to find a way to simultaneously use both the old address and the new one for IPsec so that I can transition the tunnels one-by-one and not update every vendor simultaneously. In time, I could remove the old address entirely.

I have an external interface configured with the new address and it is able to ping externally.

Here's a breakdown:

1.1.1.1 - current address for IPsec

2.2.2.2 - new address that will be for IPsec

Tunnel 1- vendor ABC

Tunnel 2- vendor XYZ

Current setup-

Tunnels 1 and 2 are pointed at 1.1.1.1

Desired setup-

Tunnel 1 -> pointed at 1.1.1.1

Tunnel 2 -> pointed at 2.2.2.2

Both tunnels running simultaneously without interruption.

This is a live environment so the lower the impact, the better.

Any advice is appreciated...

Thanks!

_Val_ · ‎2018-07-14

CP support multiple external interfaces for both VPN and cleat text traffic, look for ISP redundancy articles. Maintaining multiple S2S IPSec tunnels on both external interfaces is possible, but require some additional efforts to configure. The working solution should be a route-based VPN. To start looking into this, go to sk35560.

However, there is a caveat.

I assume you are using a simplified Domain Based S2S VPNs, and the remote VPN GWs are under someone else's management. In such a case I would strongly advise you to consider alternative IP migration scenarios, as moving from a Domain Based to Route Based VPN (VTIs or not) will only add complexity to your environment. In case you are not managing the remote GWs in the tunnels, you will also have to ask your VPN partners to reconfigure their sides.

kamalive · ‎2019-06-03

I find myself in the same situation. How did you end up going about it if I may ask?

Florin_Dumitru · ‎2019-07-25

Have you found a solution? If yes, can you share it?

Capita_Network_ · ‎2019-09-23

Did anyone get a solution to this issue, can you please share ?

Florin_Dumitru · ‎2023-03-07

I forgot to reply to the post, but I did find a solution that has been in use for a couple of years now.

Basically, I got a 1590 (with LTE) connected to the Internet via 4G (LTE interface - dynamic IP) and via WAN (DHCP) to a broadband satellite (almost fixed IP) - two different ISP's. Each external interface has an IPSEC tunnel to a different company. Over the 4G interface I've setup a certificate based VPN (dynamic IP) as it was the only way to do it (plus I manage both ends of the tunnel) and over the WAN interface a regular IPSEC VPN. Both are domain based VPN's. PBR was also necessary.

vivekumar1988 · ‎2022-02-17

Hi , Did anyone got the working solution for this ? 2 different IPSEC tunnel for 2 different customer over 2 different outgoing/ External interfaces ???

IvoryHoward · ‎2022-02-18

hello! I need the solution

Are you a member of CheckMates?

Having multiple External addresses for IPsec