I have a scenario where we need to establish multiple IPSEC tunnels between 2 devices.
In the above scenario, ASR has multiple VRFs and we want to create IPSEC tunnel for each VRF and the other end is the same VIP.
Because of this we are considering to use Certificates instead of PSK.
One certificate(Will be using different CN) will be used for each tunnel which will help in identifying which tunnel is from which VRF(Customer).
I'm thinking of VRF aware IPSEC should work in this scenario. But my concern is If ASR public interface does the NATing and what will happen to the Source PORTs(500/4500).
I understand when there are multiple flows with same source port, NAT will change the Source PORT number and maintain in its table.
Please help me in confirming/with configs
If this scenario works or there are any better way to do it.
PS: F5 load balancer can only look into Layer 3 & 4 headers. I have multiple IPSEC terminators and I need load balalncing. So assuming Source PORT will be different for each tunnel initiated from ASR.
Best Answer
You could build this quite simply using VTIs (GRE tunnels with IPSec protection). As the two tunnels have the same source, destination IP pairs, you will need to make sure you use a unique (per tunnel) GRE tunnel key (id), so the ASR can differentiate between them. You can choose to use the same IPSEC profile (you'll need the 'shared' keyword on the end of the tunnel protection command) or different profiles. You can place the tunnel interface into any VRF you like.
Because of the F5 VIP, the tunnels will need to be initiated from the two routers behind the F5. I would tell the ASR to operate in responder-only mode (in the ipsec profile configuration) in this instance.
If you have a lot of VRFs, then FlexVPN is a better option and you can pull the CN out of the certs and assign profiles (which you can even back-end onto a RADIUS server). This is far more complicated to configure so I recommend you have a good read through the documentation.