IPsec tunnels based on virtual IPsec interfaces (VTI)

Network architecture

• The main LILLE site hosts three WAN links (LIL-WAN-1, LIL-WAN-2 and LIL-WAN-3),
• The secondary PARIS site hosts two main WAN links (PAR-WAN-1 and PAR-WAN-2).

IPsec architecture

• The LILLE and PARIS sites communicate through two IPsec tunnels that are based on virtual IPsec interfaces (VTI).
• One of the sites can be configured as responder only.

LILLE site

The FW-LILLE firewall uses two static routes to set up IPsec tunnels with the PARIS site through WAN access link pairs LIL-WAN-1/PAR-WAN-1 and LIL-WAN-2/PAR-WAN-2. These tunnels are based on virtual IPsec interfaces.

This configuration imposes communication exclusively between LIL-WAN-1 and PAR-WAN-1, and between LIL-WAN-2 and PAR-WAN-2.

NOTE
As the PARIS site has one WAN link less than the LILLE site, the LIL-WAN-3 access link will not be used to set up the IPsec tunnels with the PARIS site.

A route has to be defined to set up tunnels with the PARIS site: this can be done with a router object that uses both virtual IPsec interfaces on the PARIS site.

This route can be defined:

• Through policy-based routing (PBR). This option enables load balancing and failover between both router object gateways.
• Through static routing. This option imposes failover to be defined between both router object gateways. Load balancing cannot be used in this case.

NOTE
If the PARIS site had only one WAN link, the configuration can still be deployed by using an alias or a second public IP address to define PAR-WAN-1.

PARIS site

The configuration of the PARIS site mirrors the LILLE site.