> On Nov 19, 2018, at 11:19, Linda Dunbar <linda.dun...@huawei.com > <mailto:linda.dun...@huawei.com>> wrote: > > IPsec experts, > > In the following diagram, CPE1 has two internet ports, A1 by one service > provider, A2 by another service provider. > CPE2 also have two ports facing two different internet service providers > > Question: can I establish ONE IPsec SA between CPE1 & CPE2? (i.e. between > 10.1.1.1 & 10.1.2.1)? > But the actual packets sent out from A1 port has to use A1 as Source-Address, > and using B1 or other public address as Destination address.
If in your example the source and destination IPs are sourced loopbacks that are part of a prefix exported to the the isp(s) in each site then you could in fact have one association… If the CPEs are using a provider assigned ip for tunnel termination you’re going to need 4. We do the former all the time with sites multi-homed via bgp. > > Or is it necessary to have one IPsec SA between A1<->B1, one IPsec SA between > A1<->B2, one IPsec SA between A2<->B1, and one IPsec SA between A2<->B2? > > > <image001.png> > > Thanks, Linda Dunbar > _______________________________________________ > IPsec mailing list > IPsec@ietf.org <mailto:IPsec@ietf.org> > https://www.ietf.org/mailman/listinfo/ipsec > <https://www.ietf.org/mailman/listinfo/ipsec>
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec