PepVPN and IPsec priority


#1

We have six locations. (1) newer B380 with Speed Fusion, (1) older B380 (v6 firmware) and (4) Balance One. All are connected by PepVPN and SpeedFusion (on the B380s).

The Balance One’s are limited to two PepVPN connections so its not possible to have a criss cross with a direct link between all six locations. Users are able to access from location B to location C because PepVPN is smart enough to see the two hop link by going through the home office. B > A > C.

I’m wondering if I would gain anything by setting up IPsec links between devices where I don’t have enough PepVPN licenses to create direct VPNs between all of them? Are the devices smart enough to see that there is an IPsec link that goes directly between B and C, or will they continue to prioritize PepVPN (B > A > C)?

I realize there is an upgrade for the Balance One that will give me more PepVPN links, and also SpeedFusion. I may do that upgrade but first want to know if I can accomplish the same thing with a combination of PepVPN and IPsec. I need to understand how the devices will use both types of VPN when they are simultaneously available?


#2

Balance One supports 2 IPSec VPNs . Hence, PepVPN + IPSec tunnels can’t meet the requirement. I would suggest upgrading the PepVPN license for Balance One.


#3

OK, I understand about the limitation of 2 IPsec. Not sure if I really need all 5 links anyway. I still need to understand how the device prioritizes IPsec and PepVPN links that end up at the same two end points when some are direct, and some are a second hop to get there. Does the system figure that out on its own? Or does the system prioritize PepVPN? I see where I can enter a “cost” to prioritize within PepVPN but I don’t see that option in IPsec.

I will likely end up adding the PepVPN licenses, the cost is not a lot - but still want to understand the questions above.


#4

@Don_Ferrario

:grinning::grinning::grinning:

IPSEC route will have highest priority.


#5

My understanding (and as seemingly confirmed by a minimalist experiment with three nodes in a no-frills setup with PepVPN as two edges and IPsec closing the triangle on the third edge) is that the router will send packets on any networks advertised by the IPsec partner across that connection before considering the PepVPN routing.

E.g.:

Three nodes, A (192.168.1.0/24), B (192.168.2.0/24), and C (192.168.3.0/24)
A<->B PepVPN
A<->C PepVPN
B<->C IPsec (each advertising their own local network)

Routing is as expected, e.g., from B directly to C if some node on B’s LAN sends a packet to 192.168.3.xx (B does not route it to A)

But you can play games with this: E.g., if B advertises 192.168.1.0/24 (A’s network) then C will route packets from C to A via B.

Which indicates that explicit advertisement in the IPsec setup is prioritized ahead of the PepVPN routes). And you can force an indirect routing is appropriate.

Maintenance, though… If your time is worth a bit, then adding the PepVPN license pays for itself real fast.