How to enable Tunnel Isolation Mode

dabenavidesd · Jul 22, 2021, 1:20 AM

Dear all:
can you enlight me how to enable Tunnel isolation mode lease. Thanks in advance

jimp · Jul 27, 2021, 5:39 PM

What exactly do you mean by "Tunnel isolation mode"?

dabenavidesd · Jul 27, 2021, 5:39 PM

@jimp Hi: thanks for your answer, but still not sure if that's what I need.
My problem is I'm having some intermittence in IPsec, so I want to diagnose if it's a problem with the encryption domains. From what I researched could be traffic being dropped intermittently because of tunnel configuration for multiple domains, so I want to isolate the failure.
One way was as I found to make multiple IPsec with just one encryption domain each. So I found the tunnel isolation on Ipsec could be useful for that.

jimp · Jul 29, 2021, 1:52 PM

Sounds like what you want is "Split connections" in the P1 options.

IKEv1 is always split -- each P2 gets its own separate configuration
IKEv2 can combine traffic selectors and does so by default, so all your P2 configurations get lumped into a single configuration entry. This is more efficient and flexible, since it only needs to maintain one child SA for all traffic, but some other devices/services don't like it for various reasons.

If you are using IKEv2 and check "Split Connections" then it creates a separate configuration for each P2 so they will be independent.