Routing
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 6
Registered: ‎03-29-2017
0 Kudos

IPSEC Tunnel over VLANS

Good afternoon!  I need to create an IPSEC tunnel between 2 routers.  Please see the attached rudimentary illustration.  The tunnel needs to go from Router A to Router D so they can get to each others internal networks.  I control Router A, D, and all the managed Switches.  Router B and C I have no control over.  The VLAN address and VLANS are generic to illustrate the issue.  Typically I would connect Router A directly to Router B and the same with C and D but that can't be done this time.  Am I overthinking this?  To me Router A needs a static route to get to VLAN 5 via it's next hop.  Then Router D needs a static route to VLAN 2 via it's next hop.  From there, just configure the IPSEC tunnel as normal and routing protocols through the tunnel.  Something is telling me that won't work.  I need to make sure all traffic is going into the tunnel.

Trusted Expert
Posts: 493
Registered: ‎08-23-2015
0 Kudos

Re: IPSEC Tunnel over VLANS

Hello,

 

When Router A wants to reach Router D or when Router D wants to Reach router A over internet, Is Router B & C responsible for NATing the traffic?

 

If yes, what kind of NAT is used?

 

Regards,

 

Rushi

Visitor
Posts: 6
Registered: ‎03-29-2017
0 Kudos

Re: IPSEC Tunnel over VLANS

Rushi,

 

I'm still trying to contact the owners of Router B and C, I'm fairly certain they will configure it as source NAT using the Interface IP.  For this example we can say Ge-0/0/0 is the WAN interface on both Router B and C.

Trusted Expert
Posts: 493
Registered: ‎08-23-2015
0 Kudos

Re: IPSEC Tunnel over VLANS

Hello,

 

With both sides using Interface based NAT, IPSec VPN may not be possible.

At least one of the ends need to have a static IP (or static one to one NAT).

 

Regards,

 

Rushi

Visitor
Posts: 6
Registered: ‎03-29-2017
0 Kudos

Re: IPSEC Tunnel over VLANS

Definitely need to get more info from the owners of B and C.  So lets say B and C have Static IP addresses for their WAN interfaces.  Then B and C have their own IPSEC between them so they can talk to each other no problem.  Within that, A and D want to create a tunnel between each other.

Visitor
Posts: 6
Registered: ‎03-29-2017
0 Kudos

Re: IPSEC Tunnel over VLANS

Updated illustration.  Routers B and C already have an established IPSEC tunnel between them.  Routers A and D need to have one between them.  Again I think I'm overthinking this but maybe not.  Going by this,

 

Router B should be able to communicate with VLAN 3 ( because it's directly connected)

Router B would need a static route to VLAN 2 via VLAN 3

 

Router A would need a static route to VLAN 3 via VLAN 2

Router A would need a static route to VLAN 4 via VLAN 2

Router A would need a static route to VLAN 5 via VLAN 2

 

Router C should be able to communicate with VLAN 4 ( because it's directly connected)

Router C would need a static route to VLAN 5 via VLAN 4

 

Router D would need a static route to VLAN 4 via VLAN 3

Router D would need a static route to VLAN 3 via VLAN 3

Router D would need a static route to VLAN 2 via VLAN 3

 

Technically based on that, pending Zones/ACLs, everthing should ping correct?  If I can touch end to end, then I should be able to make a tunnel between A and D correct?

Distinguished Expert
Posts: 4,698
Registered: ‎03-30-2009
0 Kudos

Re: IPSEC Tunnel over VLANS

Why are you not able to add the new proxy id pairs to the existing IPSEC tunnel?

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Visitor
Posts: 6
Registered: ‎03-29-2017
0 Kudos

Re: IPSEC Tunnel over VLANS

Good morning,

 

They want to create a second tunnel and not use the first one.

Distinguished Expert
Posts: 4,698
Registered: ‎03-30-2009
0 Kudos

Re: IPSEC Tunnel over VLANS

You have the internal routing needs laid out.  But the original question of how you will handle the NAT for the private addressing on routers A and B to create the tunnel over the internet.

 

You will need to enable NAT-T on the tunnel for a start.

And insure that the NAT address used on B and C facing the internet can forward UDP 4500 / 500  depending on they type of tunnel created downstream to routes A and D.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Visitor
Posts: 6
Registered: ‎03-29-2017
0 Kudos

Re: IPSEC Tunnel over VLANS

Thanks for your reply.  Sorry I was on travel.  You're going back to the question of if B and C are nating and if so which one?

Highlighted
Distinguished Expert
Posts: 4,698
Registered: ‎03-30-2009
0 Kudos

Re: IPSEC Tunnel over VLANS

From your diagram, if I am reading this correctly, the two routers you want to create a VPN between B & C have private addressing on the interfaces.

 

This means before hitting the internet these gateway addresses for the IPSEC tunnel will NAT to public addresses.  So the following configurations will need to be coordinated:

 

The VPN will need to enable the NAT-T option.  this is required when the gateway ip address used in the tunnel is private and goes through NAT.

 

The local NAT address will need to forward UDP 500 inbound to that private address and permit that traffic from the remote side NAT address from the internet.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home