Forum Discussion

n3tw0rkn3rd_383's avatar
n3tw0rkn3rd_383
Icon for Nimbostratus rankNimbostratus
7 years ago

IPSec VPN - Must the tunnel local address be the self/floating IP address?

Hello everyone,   Regrading IPSec VPN (tunnel mode) setup, I have no idea whether the tunnel local address can be different than the self/floating IP address (another IP address in the same range ...
M__Moffatt's avatar
M__Moffatt
Icon for Employee rankEmployee
5 years ago

Answering this comically late. The tunnel local address MUST be a self IP.

 

You can configure a non-existent self IP as the tunnel local IP in the IPsec configuration but the tunnel won't work properly until you configure a matching self IP.

 

Floating self IPs are preferred because with mirroring it also provided HA failover of the tunnels. For HA failover of IPsec tunnels, a floating self IP must be used and the tunnel must be IKEv2.