Configure two active tunnels using VTI interfaces

Establish the IPsec tunnel using Virtual Tunnel Interfaces (VTI).

Before you begin

Create an IKEv2 profile, a transform set and two access-lists.

This technique relies on using policy-based routing over VTI interfaces and creating dummy subnets that are used to force web traffic to be routed into the appropriate tunnel interface.

The dummy subnets need to be a minimum of /30 in size to provide two usable interface addresses. One address is allocated to the VTI interface and the other is used in the policy-based routing configuration to represent the Forcepoint ONE SSE data center. For example, assume that 192.168.254.0/30 and 192.168.254.4/30 are two unused /30 blocks within your internal address plan. This would allow the following addressing to be used on the ISR:

  • dummy_subnet1_ip1 — 192.168.254.1
  • dummy_subnet1_ip2 — 192.168.254.2
  • dummy_subnet2_ip1 — 192.168.254.5
  • dummy_subnet2_ip2 — 192.168.254.6

Steps

  1. Create an IPsec profile and associate the transform set and IKEv2 profile that you created.
    1. Enter an IPsec profile name for the IPsec tunnels: 
      crypto ipsec profile <IPsec profile Name>
    2. Enter the transform set you defined for the IPsec tunnels: 
      set transform-set <Transform Set Name>
    3. Enter the IKEv2 profile name you configured for the IPsec tunnels: 
      set ikev2-profile <IKEv2 Profile Name>
  2. Create primary tunnel interface, configure the tunnel source and destination IP addresses, and associate the IPsec profile:
    1. Create your primary tunnel interface with an ID: 
      interface <Primary Tunnel Interface>
    2. Enter a local IP address for the interface. 
      ip address <dummy_subnet1_ip1>
    3. Set the tunnel source interface, that is the egress IP of the edge device. 
      tunnel source <public_egress_IP>
    4. Define the tunnel mode: 
      tunnel mode ipsec ipv4
    5. Set the tunnel destination IP address of the primary data center, which you can find in tunnel Setup Info dialog: 
      tunnel destination <Primary_destination_address>
    6. Enter the profile name you configured for the IPsec tunnels: 
      tunnel protection ipsec profile <IPsec Profile Name>
  3. Create secondary tunnel interface, configure the tunnel source and destination IP addresses, and associate the IPsec profile:
    1. Create your secondary tunnel interface with an ID: 
      interface <secondary Tunnel Interface>
    2. Enter a local IP address for the interface. 
      ip address <dummy_subnet2_ip1>
    3. Set the tunnel source interface, that is the egress IP of the edge device. 
      tunnel source <public_egress_IP>
    4. Define the tunnel mode: 
      tunnel mode ipsec ipv4
    5. Set the tunnel destination IP address of the secondary data center, which you can find in tunnel Setup Info dialog: 
      tunnel destination <Secondary_destination_address>
    6. Enter the profile name you configured for the IPsec tunnels: 
      tunnel protection ipsec profile <IPsec Profile Name>
  4. Create route-maps, set the tunnel interfaces, and associate the access-list that you created.
    1. Define a route map to match traffic against: 
      route-map <Route Map Name> permit 10
    2. Assign the access-list to the route map you created: 
      match ip address <access_list_number>
    3. Set IP next-hop: 
      set ip next-hop <dummy_subnet1_ip2> <dummy_subnet2_ip2>
  5. Associate route-map to the incoming interface. 
    interface <incoming_interface>
ip policy route-map <Route Map Name>