Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple sites served by a single P1?

    Scheduled Pinned Locked Moved
    IPsec
    frr ipsec vti
    2
    3
    587
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bp81
      last edited by

      I haven’t been able to find a clear answer on this.

      Suppose I have 10 locations. HQ and 9 remote offices. I want to setup routed IPSec and dynamic routing / FRR.

      Is it possible to have a single P1 entry at HQ serve all 9 remote office tunnels?

      I was wondering if I could set HQ’s P1 to responder only and set the remote gateway IP address to 0.0.0.0/0. The remote offices would initiators and would specify HQ’s wan address as remote endpoint.

      I would anticipate having a single P2 at HQ for each remote office. Since this is VTI mode, each site would specify HQ’s private tunnel address as the remote network and its own tunnel address as local.

      For routing I’d run FRR / BGP so each device could distribute routes without having to maintain them manually.

      Can ipsec be setup this way? Chiefly I avoid having to do a separate P1 for each site on HQ’s router, which is the draw. Simpler configuration, easier to come back to later and work with when changes are needed.

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @bp81
        last edited by

        @bp81 said in Multiple sites served by a single P1?:

        I haven’t been able to find a clear answer on this.

        Suppose I have 10 locations. HQ and 9 remote offices. I want to setup routed IPSec and dynamic routing / FRR.

        Is it possible to have a single P1 entry at HQ serve all 9 remote office tunnels?

        I was wondering if I could set HQ’s P1 to responder only and set the remote gateway IP address to 0.0.0.0/0. The remote offices would initiators and would specify HQ’s wan address as remote endpoint.

        I would anticipate having a single P2 at HQ for each remote office. Since this is VTI mode, each site would specify HQ’s private tunnel address as the remote network and its own tunnel address as local.

        For routing I’d run FRR / BGP so each device could distribute routes without having to maintain them manually.

        Can ipsec be setup this way? Chiefly I avoid having to do a separate P1 for each site on HQ’s router, which is the draw. Simpler configuration, easier to come back to later and work with when changes are needed.

        Pretty interesting idea. I wouldn’t intially expect it to work, because you will be using the Mobile User VPN P1 for that setup.
        But you can enable VTI in the P2 for mobile users, so it might actually work if you do dynamic routing to announce the networks available on the remote sites.

        looking forward to hear about your progress on this :-)

        Love the no fuss of using the official appliances :-)

        B 1 Reply Last reply Reply Quote 0
        • B
          bp81 @keyser
          last edited by

          @keyser Oof. Sounds like I'm in unsupported configuration territory here.

          I'll see how it performs in a lab.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post