Hey Guys,

just at the beginning, sorry for my english .
I have an VPN Network with 4 Locations in configured as "star". So one Main Location an 3 Sub Location which connect to Main.
Till now i just configured IPSEC Site-to-Site with Policy, but with this i got some Problems since i did my SIP Telefonie Rollout i have some Problems with my RTP Streams because if Sublocation 1 calls Sublocation 2 they will connect each other directly but there are nor Routes.

SO i wanted to implemant IPIP Tunnel so i can Route into thes Interfaces. I got the fact that IPIP can create his own IPSEC Tunnel but not with DDNS, so i decided to use my own IPSEC connections.

But now i think i have to Put the IPSEC Tunnel in some separated IP because i had the feeling IPSEC Policy will be "routed" before Routing Table.

In IP Addresses i have this concept with the Question to you if this is correct or to complicated?:

Main Location:
LAN-BRIDGE: 192.168.8.0/24 (GW: .254)
IPSEC-BRIDGE: 192.168.28.254 = GW
IPIP: 192.168.120.1 (/24)

SubLocation1:
LAN-BRIDGE: 192.168.9.0/24 (GW: .254)
IPSEC-BRIDGE: 192.168.29.254 = GW
IPIP: 192.168.120.2 (/24)

SubLocation2:
LAN-BRIDGE: 192.168.10.0/24 (GW: .254)
IPSEC-BRIDGE: 192.168.30.254 = GW
IPIP: 192.168.120.3 (/24)

SubLocation3:
LAN-BRIDGE: 192.168.11.0/24 (GW: .254)
IPSEC-BRIDGE: 192.168.31.254 = GW
IPIP: 192.168.120.4 (/24)

So in every Location i would do some Routes into the IPIP Tunnel Interface like:

MainLocation:
route 192.168.9.0/24 --> IPIP Interface
route 192.168.10.0/24 --> IPIP Interface
route 192.168.11.0/24 --> IPIP Interface

Location3:
route 192.168.10.0/24 --> IPIP Interface
route 192.168.9.0/24 --> IPIP Interface
route 192.168.8.0/24 --> IPIP Interface

SO i wanted to implemant IPIP Tunnel so i can Route into thes Interfaces. I got the fact that IPIP can create his own IPSEC Tunnel but not with DDNS, so i decided to use my own IPSEC connections.

What exactly do you mean by "IPIP can create own IPSEC Tunnel but not with DDNS"? I'm running IPIP tunnel with remote-address configured with DNS ... in my particular case I configured DNS name which is actually CNAME for DDNS (pointing at XXXXXXXX.sn.mynetname.net). Tunnel gets up just fine. The only gotcha I guess is that in case the IP address changes (and IPIP tunnel drops), it'll take a while before tunnel gets up again (until TTL of old XXX.sn.mynetname.net expires). Well, I hope that ROS tries to resolve DNS name to IP address every time tunnel is about to start.

BTW, if you get running with IPIP tunnels, then you don't need any of those subnets (IPIP and IPSEC-bridge), only a fancy addressing of IPIP interface is needed. If you're interested, I can explain it in another post.

SO i wanted to implemant IPIP Tunnel so i can Route into thes Interfaces. I got the fact that IPIP can create his own IPSEC Tunnel but not with DDNS, so i decided to use my own IPSEC connections.

in my particular case I configured DNS name which is actually CNAME for DDNS (pointing at XXXXXXXX.sn.mynetname.net). Tunnel gets up just fine.

BTW, if you get running with IPIP tunnels, then you don't need any of those subnets (IPIP and IPSEC-bridge), only a fancy addressing of IPIP interface is needed. If you're interested, I can explain it in another post.

Ok, i was confused because after entering my ddns it resolved into the IP and was written into the IPSEC Peer as ip and not as DDNS.