Configure two active tunnels using VTI interfaces

Establish the IPsec tunnel using Virtual Tunnel Interfaces (VTI).

This technique relies on using policy-based routing over VTI interfaces, and creating “dummy” subnets that are used to force web traffic to be routed into the appropriate tunnel interface.

The dummy subnets need to be a minimum of /30 in size, to provide 2 usable interface addresses. One address is allocated to the VTI interface, and the other is used in the policy-based routing configuration to represent the Forcepoint gateway. For example, assume that 192.168.254.0/30 and 192.168.254.4/30 are 2 unused /30 blocks within your internal address plan. This would allow the following addressing to be used on the ISR:

• dummy_subnet1_ip1 — 192.168.254.1
• dummy_subnet1_ip2 — 192.168.254.2
• dummy_subnet2_ip1 — 192.168.254.5
• dummy_subnet2_ip2 — 192.168.254.6

1. Create an IPsec profile for each tunnel and associate the transform set and IKEv2 profile that you created.

   crypto ipsec profile PA_forcepoint1
   set transform-set PA_set
   set ikev2-profile PA_profile1
   exit

   crypto ipsec profile PA_forcepoint2
   set transform-set PA_set
   set ikev2-profile PA_profile2
   exit

2. Create 2 tunnel interfaces, then configure the tunnel source and destination IP addresses, and associate the IPsec profile:

   interface Tunnel1
   ip address <dummy_subnet1_ip1>
   tunnel source <public_ip>
   tunnel mode ipsec ipv4
   tunnel destination <tunnel1_destination_address>
   tunnel protection ipsec profile PA_forcepoint1
   exit
   interface Tunnel2
   ip address <dummy_subnet2_ip1>
   tunnel source <public_ip>
   tunnel mode ipsec ipv4
   tunnel destination <tunnel2_destination_address>
   tunnel protection ipsec profile PA_forcepoint2
   exit

   Example:

   interface Tunnel1
   ip address 192.168.254.1 255.255.255.252
   tunnel source 10.5.142.237
   tunnel mode ipsec ipv4
   tunnel destination 3.135.2.202
   tunnel protection ipsec profile PA_forcepoint1
   exit
   
   interface Tunnel2
   ip address 192.168.254.5 255.255.255.252
   tunnel source 10.5.142.237
   tunnel mode ipsec ipv4
   tunnel destination 3.135.3.203
   tunnel protection ipsec profile PA_forcepoint2
   exit

3. Create route-maps, set the tunnel interfaces, and associate the access-list that you created.

   route-map Active_tunnel permit 20
   match ip address 120
   set ip next-hop <dummy_subnet1_ip2>
   exit

   route-map Active_tunnel permit 25
   match ip address 125
   set ip next-hop <dummy_subnet2_ip2>
   exit

   Example:

   route-map Active_tunnel permit 20
   match ip address 120
   set ip next-hop 192.168.254.2
   exit
   
   route-map Active_tunnel permit 25
   match ip address 125
   set ip next-hop 192.168.254.6
   exit

4. Associate route-map to the incoming interface.

   interface <incoming_interface>
   ip policy route-map Active_tunnel
   exit

5. Adjust MSS on the incoming interface.

   interface <incoming_interface>
   ip tcp adjust-mss 1360
   exit