Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kurt_Abela
Contributor

VPN on Proxy ARP IP Address

Dear all,

Is it possible to setup a site to site VPN tunnel with a proxied IP address (proxy arp)? i.e. an address which is not on the physical interface?

Thanks,

K

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Yes.

From the R80.10 Site-to-Site VPN docs:

There are several methods that can determine how remote peers resolve the IP address of the local Security Gateway. These settings are configured in Security Gateway Properties > IPsec VPN > Link Selection. Remote peers can connect to the local Security Gateway with these settings.

Always Use This IP Address:

Configure a certain IP address that is always used. The options are:

  • Main address - The VPN tunnel is created with the Security Gateway main IP address, specified in the IP Address field on the General Properties page of the Security Gateway.
  • Selected address from topology table - The VPN tunnel is created with the Security Gateway using a selected IP address chosen from the drop down menu that lists the IP addresses configured in the Topology page of the Security Gateway.
  • Statically NATed IP - The VPN tunnel is created using a NATed IP address. This address is not required to be listed in the topology tab.

That last option is what you're surely looking for.

Kurt_Abela
Contributor

Many Thanks for your reply. The issue we have is that we already have VPN tunnels on addresses from the topology table and we need a new VPN tunnel on a routed IP (not in topology). I think these are mutually exclusive.

0 Kudos
PhoneBoy
Admin
Admin

Since this is a per-gateway setting (not a per-tunnel setting), I believe you are correct.

The way you would meet this requirement today would be using Virtual Systems (VSX). 

You would have a VS (basically a virtual gateway) that has the configuration you desire.

This VS could enforce the same or different policy, depending on your requirements.

0 Kudos
Kurt_Abela
Contributor

Thanks for your suggestions. 

We have natted internet traffic behind another public ip as a workaround to the issue. 

0 Kudos