Hi,
I have set up a site-to-site ipsec VPN between two routers (v6.17). Let’s call them R1 and R2 and their public IPs are IP1 and IP2 respectively. Let’s call internal IP networks of two sites net1 and net2. However, there is a vrrp interface on R1 with an address of VIP. I suspect that due to this, I have to define two ipsec policies on R1 and R2 like:
R1:
from net1 to net2, sa-src-address=IP1 and sa-dst-address=IP2
from net1 to net2, sa-src-address=VIP and sa-dst-address=IP2
R2:
from net2 to net1, sa-src-address=IP2 and sa-dst-address=IP1
from net2 to net1, sa-src-address=IP2 and sa-dst-address=VIP
Do you know why this is required? That is, why I have to involve the VIP at all?
Thanks!