Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend
Jump to solution

VPN link selection question

Hey guys,

I honestly was not even going to post this, but had to, just for my own sanity : - ). Though Im 99.99% sure this is NOT possible, but since customer asked me, figured would pick ya'll brains. So, here is their question...is there ANY way to configure CP firewall (either via link selection or any other way) to use say external IP for specific VPN tunnels and then use a different IP for other tunnels?

Cheers.

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority

In the past this was possible via entry in user.def see Controlling which IP address VPN traffic passes through But I think ther‘s no support for this in the newer releases.

With link selection you can achieve this if the remote VPN gateways are available via different interface. You can route tunnel A via interface A and tunnel B via interface B, it depends on routing configuration. Source IP will be the interface IP of the outgoing interface. How to create VPN tunnels to a 3rd party peer using a specific ISP 

View solution in original post

(1)
9 Replies
Wolfgang
Authority
Authority

In the past this was possible via entry in user.def see Controlling which IP address VPN traffic passes through But I think ther‘s no support for this in the newer releases.

With link selection you can achieve this if the remote VPN gateways are available via different interface. You can route tunnel A via interface A and tunnel B via interface B, it depends on routing configuration. Source IP will be the interface IP of the outgoing interface. How to create VPN tunnels to a 3rd party peer using a specific ISP 

(1)
the_rock
Legend
Legend

Thanks @Wolfgang ! Never seen that sk before, but good to know, though I believe you are right, probably not supported in new versions. For your 2nd point, customer has only 1 external interface, so not sure that might be feasible. What about below setting, would this work possibly?

Screenshot_1.png

Thoughts?

0 Kudos
Wolfgang
Authority
Authority

@the_rock  the shown settings are for  the IP addresses they will be probed from the remote gateway to the local gateway (see description in the top) Additional you have to configure the IP address of the outgoing packets, second part of your shown screen. But I think your need does not work if all tunnel packets are going through the same interface.

the_rock
Legend
Legend

Thanks mate, I think what you gave is the closest to what they need, so I greatly appreciate it 🙌🙌

PhoneBoy
Admin
Admin

You can configure Remote Access and Site-to-Site VPN tunnels with a different "Link Selection" IP.
However, you cannot configure "per peer" Link Selection, which is what it sounds like your customer wants.
Though sk31102 does seem like it would support that (if it works on current versions).

FYI, in R82, I believe we are overhauling the whole "Link Selection" mechanism.

the_rock
Legend
Legend

Fair enough, thank you. Its weird how this client has route based tunnels configured (never seen that in 15 years with CP), so makes it a bit tricky to do all this, but you guys gave me excellent choice, so I will give this to them, probably tomorrow or some time next week. They understand the situation, so really this is the best they can get, whether they like it or not 😊

Thanks a lot as always @PhoneBoy and @Wolfgang !

0 Kudos
the_rock
Legend
Legend

Hey @PhoneBoy ...I assume you were referring to visitor mode setting for remote access where it lets you select the interface?

0 Kudos
PhoneBoy
Admin
Admin
(1)
the_rock
Legend
Legend

Ah, right...I remember seeing this sk couple of years ago. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events