IPSec Tunnels not following rules


#1

Hello,

I have an IPSec tunnel going from our location to another location out of state. The tunnel works great but I would like to limit what ISPs it is able to go on. We have 3 ISPs in the Peplink. I only want 2 of the ISPs to be allowed to handle the IPSec tunnel. These 2 ISPs are WAN 1 and WAN 2. I do not want to use WAN 3 for IPSec.

I set rules in two places:

  1. Outbound Policy
    Enable: Check
    Source: IP Address - 192.168.199.3
    Destination: Any
    Protocol: Any
    Algorithm: Priority
    Highest Priority:
    WAN 1
    WAN 2

*Not in Use
*WAN 3

  1. Inbound Access - Services
    **Enable: **Check
    IP Protocol: UDP
    Port: Single Port 4500
    Inbound IP Addresses: WAN 1 and WAN 2 Checked. WAN 3 Unchecked
    Included Servers: 192.168.199.3

Currently under Active Sessions I have:

Outbound

Protocol - UDP
Source IP - 192.168.199.3:4500
Destination IP - Remote Address
Service - IPsec
Interface - WAN 3

**Inbound

**Protocol - UDP
Source - Remote Address
Destination IP - 192.168.199.3:4500
Service - IPSec
Interface - WAN 1

Do I need to adjust rules or configure another rule so my outbound doesn’t use WAN 3?

Thanks for your help/advice in advance!

Best,
Aaron


#2

Hello,

The best way to set this up is to just go into the IPSec profile and at the very bottom you will see “WAN Connection Priority”. Don’t select WAN3 and the IPSec traffic will stay only on WAN1 and WAN2. No other rules needed.


#3

Hello,

Currently I use an ASA 5505 on the inside of our network. Will the IPSec profile remove the ASA from participating in the VPN tunnel?

Thanks,
Aaron


#4

May need to provide more clarification on the setup. If the Peplink is not terminating the IPSec tunnel and is just passing the VPN traffic through to the ASA. You will just need to create 2 rules:
One for UDP 500, One for UDP 4500. (Put non desired WAN in “Not in use”.




#5

Thanks Jarid! This does make sense. I set the rules and I’ll disconnect WAN 3 in the morning to watch it take effect. I’ll update with the results.

Regards,
Aaron


#6

Also,

Ensure that under Network>Service Passthrough that IPSec NAT-T is unchecked as this will override the outbound policy rules.


#7

Thanks Jarid. I made the change this morning and so far it seems to be working! I will be able to tell for sure in a couple of weeks when my WAN 1 and WAN 2 have had an opportunity to drop connection.

Best,
Aaron