Routing
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 15
Registered: ‎03-29-2017
0 Kudos

IPSEC Tunnel over VLANS

Good afternoon!  I need to create an IPSEC tunnel between 2 routers.  Please see the attached rudimentary illustration.  The tunnel needs to go from Router A to Router D so they can get to each others internal networks.  I control Router A, D, and all the managed Switches.  Router B and C I have no control over.  The VLAN address and VLANS are generic to illustrate the issue.  Typically I would connect Router A directly to Router B and the same with C and D but that can't be done this time.  Am I overthinking this?  To me Router A needs a static route to get to VLAN 5 via it's next hop.  Then Router D needs a static route to VLAN 2 via it's next hop.  From there, just configure the IPSEC tunnel as normal and routing protocols through the tunnel.  Something is telling me that won't work.  I need to make sure all traffic is going into the tunnel.

Distinguished Expert
Posts: 573
Registered: ‎08-23-2015
0 Kudos

Re: IPSEC Tunnel over VLANS

Hello,

 

When Router A wants to reach Router D or when Router D wants to Reach router A over internet, Is Router B & C responsible for NATing the traffic?

 

If yes, what kind of NAT is used?

 

Regards,

 

Rushi

Contributor
Posts: 15
Registered: ‎03-29-2017
0 Kudos

Re: IPSEC Tunnel over VLANS

Rushi,

 

I'm still trying to contact the owners of Router B and C, I'm fairly certain they will configure it as source NAT using the Interface IP.  For this example we can say Ge-0/0/0 is the WAN interface on both Router B and C.

Distinguished Expert
Posts: 573
Registered: ‎08-23-2015
0 Kudos

Re: IPSEC Tunnel over VLANS

Hello,

 

With both sides using Interface based NAT, IPSec VPN may not be possible.

At least one of the ends need to have a static IP (or static one to one NAT).

 

Regards,

 

Rushi

Contributor
Posts: 15
Registered: ‎03-29-2017
0 Kudos

Re: IPSEC Tunnel over VLANS

Definitely need to get more info from the owners of B and C.  So lets say B and C have Static IP addresses for their WAN interfaces.  Then B and C have their own IPSEC between them so they can talk to each other no problem.  Within that, A and D want to create a tunnel between each other.

Contributor
Posts: 15
Registered: ‎03-29-2017
0 Kudos

Re: IPSEC Tunnel over VLANS

Updated illustration.  Routers B and C already have an established IPSEC tunnel between them.  Routers A and D need to have one between them.  Again I think I'm overthinking this but maybe not.  Going by this,

 

Router B should be able to communicate with VLAN 3 ( because it's directly connected)

Router B would need a static route to VLAN 2 via VLAN 3

 

Router A would need a static route to VLAN 3 via VLAN 2

Router A would need a static route to VLAN 4 via VLAN 2

Router A would need a static route to VLAN 5 via VLAN 2

 

Router C should be able to communicate with VLAN 4 ( because it's directly connected)

Router C would need a static route to VLAN 5 via VLAN 4

 

Router D would need a static route to VLAN 4 via VLAN 3

Router D would need a static route to VLAN 3 via VLAN 3

Router D would need a static route to VLAN 2 via VLAN 3

 

Technically based on that, pending Zones/ACLs, everthing should ping correct?  If I can touch end to end, then I should be able to make a tunnel between A and D correct?

Distinguished Expert
Posts: 5,028
Registered: ‎03-30-2009
0 Kudos

Re: IPSEC Tunnel over VLANS

Why are you not able to add the new proxy id pairs to the existing IPSEC tunnel?

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 15
Registered: ‎03-29-2017
0 Kudos

Re: IPSEC Tunnel over VLANS

Good morning,

 

They want to create a second tunnel and not use the first one.

Distinguished Expert
Posts: 5,028
Registered: ‎03-30-2009
0 Kudos

Re: IPSEC Tunnel over VLANS

You have the internal routing needs laid out.  But the original question of how you will handle the NAT for the private addressing on routers A and B to create the tunnel over the internet.

 

You will need to enable NAT-T on the tunnel for a start.

And insure that the NAT address used on B and C facing the internet can forward UDP 4500 / 500  depending on they type of tunnel created downstream to routes A and D.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 15
Registered: ‎03-29-2017
0 Kudos

Re: IPSEC Tunnel over VLANS

Thanks for your reply.  Sorry I was on travel.  You're going back to the question of if B and C are nating and if so which one?

Highlighted
Distinguished Expert
Posts: 5,028
Registered: ‎03-30-2009
0 Kudos

Re: IPSEC Tunnel over VLANS

From your diagram, if I am reading this correctly, the two routers you want to create a VPN between B & C have private addressing on the interfaces.

 

This means before hitting the internet these gateway addresses for the IPSEC tunnel will NAT to public addresses.  So the following configurations will need to be coordinated:

 

The VPN will need to enable the NAT-T option.  this is required when the gateway ip address used in the tunnel is private and goes through NAT.

 

The local NAT address will need to forward UDP 500 inbound to that private address and permit that traffic from the remote side NAT address from the internet.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 15
Registered: ‎03-29-2017
0 Kudos

Re: IPSEC Tunnel over VLANS

Correct Routers A and D will have private addresses on them.  Routers B and C will NAT to their public addresses.

 

Once I gear the gear all in, I can start configuring.  I'll keep this updated unless I have to close it.  Thanks!

Distinguished Expert
Posts: 5,028
Registered: ‎03-30-2009
0 Kudos

Re: IPSEC Tunnel over VLANS

Also note that the NAT address you use for these routers will need to be different than the addresses used by B & C for their existing IPSEC tunnels.  Since B & C already receive and use IPSEC traffic on those addresses you won't be able to use them for the A & D router traffic you will need different addresses.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 15
Registered: ‎03-29-2017
0 Kudos

Re: IPSEC Tunnel over VLANS

Just wanted to give an update.  So I was thinking way to hard on this.  The switches are only acting as trunks for tagged traffic from the routers.  Based on the original diagram I posted, that was inccorect.  The routers have tagged interfaces and the switches are trunking those tags from point A to point B.  

Distinguished Expert
Posts: 5,028
Registered: ‎03-30-2009
0 Kudos

Re: IPSEC Tunnel over VLANS

So does this mean your really cannot run the VPN from router A but it has to be on router B?

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 15
Registered: ‎03-29-2017
0 Kudos

Re: IPSEC Tunnel over VLANS

 

Router B and C will have an IPSec tunnel between them.  router B will have a static route via the st0.0 interface to the network between C and D.  Router C will have a static route via the st0.0 interface to the network between A and B.  From there router A will make another IPSec tunnel and estblish it with D.

Distinguished Expert
Posts: 5,028
Registered: ‎03-30-2009
0 Kudos

Re: IPSEC Tunnel over VLANS

ok, so to recap:

 

ge-0/0/0 on A and D will be the gateway for the VPN

Are the internal interface addresses on these ports reachable to each other in the current network?

10.0.0.0/29 to 10.0.0.16/29

 

If they are you can configure directly a VPN between these two gateways

 

If not:

Is traffic sourced from ge-0/0/0 A/D as a gateway NATed for internet access between the sites?

Is the NAT a static address or dynamic one at each site?

Is that NAT address already in use for VPN connections or not?

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home