Forum Discussion

wendelyes's avatar
wendelyes
Icon for Altostratus rankAltostratus
Jun 11, 2024

Multiple IPSec tunnels to the same remote peer

Hello everyone,

 

I need to load balance traffic to a third party with IPSec. I have configured an IPsec tunnel using the IPSec Interface mode, assigning a /30 self-ip to the tunnel and creating a virtual server that forwards the traffic to the node with the tunnel remote IP.

 

All this setup works as expected but the IPSec tunnel has a bandwidth limitation of 1Gbps and I need to reach 3Gbps.

The problem that I am facing is: when I try to create a new ike-peer with the same destination IP address, I get the error: 

01070734:3: Configuration error: remote-address (a.a.a.a) is also used by ike-peer (/Common/peer1)

Does someone know how can I create multiple ipsec tunnels to the same remote IP? I can add different IPs in the local site, but not in the remote one.

 

Regards and thanks in advance

  • To tunnel multiple subnets over IPsec, typically you'd just add these "routes" (SPIs) in your phase-2 settings on both ends of the tunnel. IPsec doesn't really have a concept of "multiple tunnels", because ESP traffic is connectionless and traffic traveling to the peer should be routed toward the one that will accept it.

     

    How are you able to determine that there is a 1 gig bottleneck in your setup?

    Have you tried doing this with the BIG-IP and the peer device connected on a network that you can locally control?

     

  • Hello,

     

    The remote peer is a SASE cloud vendor so I cannot control it. They have pops all over the world and we have to connect to the closest one because of latency.

    The 1Gbps limit is the max performance for each tunnel regarding the cloud vendor documentation. I guess that they have multiple IPSec terminators (with 1g capacity each) behind the same public IP because NAT-T is required.

     

    In our scenario, the traffic selector is set to 0.0.0.0/0 in source and destination because the purpose is to route navigation traffic to inspect and filter it in this cloud solution.

     

    ESP is not really connectionless for the enpoints because all ESP packets should match a session with its encryption, authentication and integrity, right? But yes, for the inline devices, is connectionless

    For example, I have creted this type of scenario with cisco routers or paloalto firewalls by creating 2 ike-peers and using the same IPs in both enpoints. You only have to specify different identifiers (fqdns for example) for each ike-peer

     

    The problem I have with F5 is that I cannot even create 2 ike-peers with the same remote address

     

    Regards

  • You cannot have multiple VPN tunnels to the same destination from the same source for a site-to-site VPN.

  • Not even if I have different source IPs?

    With "same source" do you mean "same device" or "same source IP"?

  • Theoretically you could if you had a different source IP on the same device to initiate traffic from but you would have to have completely separate lists so that your device knows how to split the traffic. So this would require a routing policy that would direct traffic down each tunnel for specific traffic and then you would have to have the same on the other end. Typically this is done by having a routing policy that says this source host/subnet will communicate with this destination host/subnet when traversing this tunnel. I do not believe you would be able to have all subnets flow down both tunnels simultaneously because of how routing functions. I did mean same device because typically F5s do not have multiple ISP connections directly connected to them but it is possible.

  • I don't think the routing would be an issue. My idea was to use IPSec interfaces with a /30 so, for example:

    Tunnel1-self-ip: 10.0.0.1/30

    Tunnel1-self-ip: 10.0.0.5/30

    Next step would be to create a pool with the following nodes:

    Tunnel1-node: 10.0.0.2

    Tunnel2-node: 10.0.0.6

     

    Creating a fastL4 virtual-server with this pool and disabling address and port translation should do the routing job. Also I could assign persistences, iRules etc to handle the traffic over the two tunnels. Remeber that the traffic destination is internet so could be any public IP.

    This scenario works fine but the problem is that I cannot create two ipsec peers to the same destination ip.

    The scenario you mentioned with multiple ISPs connected to the F5 is a very good example. I could need two tunnels for redundancy if I have two different ISPs