Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Questions about having overlapping P2s in different tunnels

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 84 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      bp81
      last edited by

      I have a hub and spoke setup using IPSEC policy routing (tunnel mode, not VTI mode).

      Currently my “spoke” sites have a P2 in their tunnel to the “hub” that is 10.0.0.0/8 (all my sites have lans that are 10.X.0.0/16, replace X with a different number per site). The P2s in the hub site obviously list each spoke site’s LANs as remote networks and 10.0.0.0/8 as a local network.

      This enables traffic to move not only from any spoke to the hub, but also allows traffic to pass from any spoke to any other spoke by transiting through the hub.

      This has worked very seamlessly.

      However I am looking at making some on premise services have more redundancy. This is centered mostly around radius authentication and domain controllers.

      I’d like to have a situation where the “spokes” have direct tunnels to three “core” locations, while still using the current “hub” as a transit site for spoke to spoke traffic and as a “core” location with redundant infrastructure.

      It occurs to me that just adding two additional
      tunnels for each spoke might not be a good idea. The P2s of the new tunnels will have each core site listed as a remote network. The 10.0.0.0/8 will remain for the links to the hub but this will obviously overlap with the new core site P2s.

      What are the potential issues with this?

      I have considered going to VTI + OSPF for this and I’m not really interested in it. I can run it in a lab with no issue, but in production all my sites have HA/CARP running. VTI + OSPF involves adding an Interface Assignment for every vpn tunnel. It’s already aggravating enough getting the physical interfaces and vlan interfaces added in exactly the correct order for HA to work. I am extremely uninterested in complicating that problem further to the point I am willing to abandon the entire project if it’s the only way.

      My only solutions are policy IPSEC with overlapping P2s if that will work without issues or OpenVPN + OSPF (this config seems to work without making manual interface assignments but it’s OpenVPN and, therefore, slow).

      Has anyone tried policy ipsec in this configuration? Does it work? Does it work but with issues?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.