Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VRF for IPsec tunnels

    Scheduled Pinned Locked Moved TNSR Feedback
    3 Posts 2 Posters 364 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      Is there an ability on TNSR to give IPsec tunnels their own VRF?

      In JUNOS, i am able to place clients into their own routing-instance , where i can do IPsec/BGP with them. Theres been IP overlap conflicts in the past plus having that l3 separation of the routing domain, in my mind, is best security practice.

      That said, can TNSR do this?
      pfSense doesn't understand VRFs but I'm looking at that as more of a legacy appliance i will roll out if i have no choice but the preference is TNSR for all modern deployments.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      fractal_boyF 1 Reply Last reply Reply Quote 0
      • fractal_boyF
        fractal_boy @michmoor
        last edited by

        @michmoor Yes you can

        1. create your vrf, in case you don't have one:
        bhc-tnsr tnsr(config)# sh run route
route table IPSEC
    description IPSEC VRF
    id 101
exit
        1. Assign your new vrf to the ipsec tun ipip interface. In my case, this is ipip101 interface.
        interface ipip101
    enable
    mtu 1380
    vrf IPSEC
    ip address 172.21.254.6/30
exit
        1. Configure static route in your new vrf pointing to the remote ipip interface.
        bhc-tnsr tnsr(config)# sh run route
route table IPSEC
    description IPSEC VRF
    id 101
    route 172.27.0.0/16
        next-hop 0 via 172.21.254.5 ipip101
    exit
exit
        M 1 Reply Last reply Reply Quote 1
        • M
          michmoor LAYER 8 Rebel Alliance @fractal_boy
          last edited by

          @fractal_boy very nice. Exactly what I’m looking for

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.