Multi-address WAN - How IPsec Peer source address set?

jacko · July 4, 2013, 9:21am

Hi, my issues is refer to IPsec Peer problem of ROS 6.1, but maybe I do something wrong in configuration.

Situation description:

ether1 is WAN and it has some ip adresses for example 1.1.1.1, 1.1.1.2, 1.1.1.3

I set IPsec Peer with address destination to the remote site, the problem is with source address, because always when my router initiate Peer connection has an first ip source address 1.1.1.1, when I expect to establish Peer with source 1.1.1.3.

How can i set IP 1.1.1.3 as source address for intiate Ipsec Peer connection?
I was testing “src-nat” to remote site, but IPsec with NAT is not working.

Is it possible?
Best Regards
Jacko

mgrabar · October 17, 2013, 3:28pm

Yes, of course it is possible.

You just need to tell your router what source IP address should it use in order to reach desired destination address.

So basically, if you have two remote IPSec routers and interface with multiple source IP addresses, you will need to add two additional routes:

add dst-address=2.2.2.1/32 gateway=1.1.1.255 pref-src=1.1.1.1
add dst-address=2.2.2.2/32 gateway=1.1.1.255 pref-src=1.1.1.2

That will tell your router to place src-addr of 1.1.1.1 when trying to reach the remote end on 2.2.2.1 and 1.1.1.2 when trying to reach 2.2.2.2.

Don’t remove your default route in the process; RT matching is done based on the longest-prefix.

Have fun!