Joel, Thanks for the help.
When you said “IPs are sourced loopbacks that are part of a prefix exported to the the isp(s) in each site”, do you mean that the private Loopback addresses of CPE1 & CPE2 are routable in all four ISPs’ that connected to A1, A2, B1, B2? Linda From: joel jaeggli [mailto:[email protected]] Sent: Monday, November 19, 2018 2:18 PM To: Linda Dunbar <[email protected]> Cc: IPsecME WG <[email protected]> Subject: Re: [IPsec] Can one IPsec SA be established via two internet ports on one device? On Nov 19, 2018, at 11:19, Linda Dunbar <[email protected]<mailto:[email protected]>> wrote: IPsec experts, In the following diagram, CPE1 has two internet ports, A1 by one service provider, A2 by another service provider. CPE2 also have two ports facing two different internet service providers Question: can I establish ONE IPsec SA between CPE1 & CPE2? (i.e. between 10.1.1.1 & 10.1.2.1)? But the actual packets sent out from A1 port has to use A1 as Source-Address, and using B1 or other public address as Destination address. If in your example the source and destination IPs are sourced loopbacks that are part of a prefix exported to the the isp(s) in each site then you could in fact have one association… If the CPEs are using a provider assigned ip for tunnel termination you’re going to need 4. We do the former all the time with sites multi-homed via bgp. Or is it necessary to have one IPsec SA between A1<->B1, one IPsec SA between A1<->B2, one IPsec SA between A2<->B1, and one IPsec SA between A2<->B2? <image001.png> Thanks, Linda Dunbar _______________________________________________ IPsec mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
