@jlw52761 Please test. Im curious if this is possible.

I had to let it percolate a bit to remember that way back when this was set up the PowerShell script adds a route for the subnet: Add-VpnConnectionRoute -ConnectionName "name" -DestinationPrefix 10.2.2.0/24 IPsec tab FW blocks from source IP to each subnet work great. Thanks,

@thewaterbug Excellent tests and performance comparison :-) Last time i checked, both AES-128 and AES256 (both in CBC and GCM mode) were considered safe since they need HEAVY supercomputertime to be decrypted. 128bit is “possible” to decrypt with modern supercomputers, but not in a anywhere close to usable timeframe. 256bit is not practically decryptable (we are looking at many many years of superc time).

@keyser Fortunately I don't think we are getting any packet loss here, more testing and I'm seeing absolutely zero retransmits so that's good. Unfortunately though the specific device that needs the high bandwidth is from a vendor and uses their own OS, it's technically Ubuntu but point is I can't login to make any adjustments to it. Might find out if the vendor can do any tuning on it for this remote setup. It's an appliance that typically is on a local subnet rather than remote so it's definitely not setup for this, so considering it only operates about half as fast as on site, I'm pretty happy lol, just wanted to double check things. Thanks again for all the insight here, greatly appreciate it!

@mclaborn Ok from there Id check the Routes table, I'd check all your firewall rules, and I'd run a tracert to see if if it going somewhere funky. Also check your Outbound NAT rules to see if there's a redirect there, too, or maybe you have a 1:1 that is translating the IP to something else.

@jimp must be something else… Site-to-Site has remote address set. I've checked P2 as well vor both VPNs. They have the correct values for their P1 set. [image: 1669213686037-ipsec-tunnel-config.png]

@nick-loenders Anyway, if you have sequenced subnets like these you can embrace them in the p2 using an appropriate mask. But with a local LAN of 10.0.1.0/24 you run into risk of overlapping. So if the LAN here is 10.0.1.0/24 you could only merge tunnel 2 and 3 by stating 10.0.2.0/23 as the remote network. If you have control over all involved site you should consider this when designing the networks.

Yep VTI work without issues with AWS/BGP

@upper-deck that is awesome. I’ll play with mine later but this was a cool learning moment to me.

@thewaterbug I’d personally recommend you look into VTI ipsec which will create a gateway that you can then use in a policy based firewall rule for the specific host you want to give access to.

maybe you need to check the firewall rule of ipsec.

BTW, this is not for me: [image: 1668647646584-03a3bfdb-92a9-437a-88f5-90c7db833c2b-image.png] I get best ipsec performance by these: [image: 1668647884865-3f5503cf-ce81-4ef8-adff-d4a82a611547-image.png]

@viragomann Hi 10.0.0.0 is connected over ipsec to 10.0.8.0 And our local destination 192.168.2.0 is connected over ip sec to 10.0.0.0 The location of the customer with 192.168.2.0 ist connected to 10.0.8.0 When the customer starts vpn, then wen cant connect from 192.168.2.0 over 10.0.0.0