Two SpeedFusions in one site

BensonLEI · September 30, 2019, 12:33am

Hi, Guys,

We are using B-380,

Just would like to know if I can create two separated PepVPN in a site, for example one PepVPN for internet lines, another PepVPN for leased lines in the same site ?

Thanks

MartinLangmaid · September 30, 2019, 1:31am

Have a look at Sub Tunnels - would that work for your requirement?
[Edited to use correct link]

BensonLEI · October 2, 2019, 6:09pm

Hi, Martin,

Our scenario is below:

2 internet links and 2 leased lines in Site A; and same links setup in Site B, so we want to set up a PepVPN for internet links ( for internet access and some non-mission traffic ); another PepVPN for mission critical traffic ( leased lines aggregation ); is that ok possible ?

Thanks

MartinLangmaid · October 3, 2019, 12:02am

Yes, you can use sub-tunnels for this.

Sure. How do you want that to work? Is that Site B sending internet traffic over Speedfusion and out via Site A?

BensonLEI · October 3, 2019, 7:52pm

Hi, Martin,

We just want to keep one Peplink SpeedFusion for the hot link failover of these leased lines aggregation, and the other SpeedFusion for internet links aggregation ( internet access, VPN, hot failover, etc ).

For example :

SpeedfusionA-internet lines
SpeedfusionB-leased lines

They are separate VPNs and carry different kinds of dedicated network traffic.

Any example configuration, thanks

MartinLangmaid · October 4, 2019, 1:50am

Create a new Speedfusion profile.
Show the sub tunnel configuration
set main tunnel to just use the WANs with the leased lines connected
Add a sub tunnel, set it to use the WANs for internet access only
Use outbound policies to set which traffic should use which tunnel.

BensonLEI · October 8, 2019, 10:34pm

Hi, Martin,

Based on the updated firmware v8.0, B-380 could not create two separated Speedfusions ( due to the unique Remote ID) between two sites, is that correct ?

MartinLangmaid · October 8, 2019, 11:02pm

Yes.

You’re not creating two separate speedfusion Tunnels. You are creating one tunnel and then adding sub tunnels inside of the main tunnel.
Follow the sub tunnel link above to see how.

BensonLEI · October 9, 2019, 12:58am

For your suggestion, where to find the FusionHub configuration in B-380, thx ?

One of the ways to solve this scenario, is to configure both SpeedFusion and IPsecVPN for two separated Tunnels, and also defined the dedicated LAN subnets traffic in IPsecVPN.

But IPsecVPN does not support Multilinks bonding ( though it has such configuration ) ?

MartinLangmaid · October 9, 2019, 1:43am

Apologies I used the wrong link above. Look at this link instead.

Personally I find this idea very messy and Speedfusion / PepVPN is superior to IPSEC in every way. You can do this with sub-tunnels - that is still my recommendation.

BensonLEI · October 9, 2019, 2:25am

Martin,

The new link may be helpful, let me check and study more, and update you, thx a lot.

BensonLEI · October 9, 2019, 5:28pm

Hi, Martin

This is what exactly I am seeking for, thx a lot.

But for this configuration, a default SpeedFusion tunnel must be established and include all available WAN links… correct ?

If yes, which configuration to control the traffic through this default SpeedFusion ?

dennis.hofheinz · October 11, 2019, 4:38am

Hi Benson,

you can choose the WAN links in every Sub-Tunnel. Try it, it’s easy
You can use Outbound-Policies to control the Sub-Tunnels

Regards
Dennis

BensonLEI · October 13, 2019, 7:52pm

Hi, Martin & Dennis,

Thanks so much for both you guys’ kind advice.

My last question is:

PepVPN traffic can not be controlled by destination IP ? or how to achieve this configuration ?

PepVPN: Source IP -----> PepVPN traffic → Destination IP
( SiteA: 192.168.1.0/24 ) ----- > (SiteB: 172.168.10.0 /24 )

Many thanks

MartinLangmaid · October 13, 2019, 11:17pm

Yes it can.
Have a look at this: Understanding and Configuring Outbound Policy

When a PepVPN tunnel is up, each end advertises known subnets to the other, so you typically don’t need to add destination routes (because they have been learnt already). If however you want to get to a distant hop then you might so in the case of:

SiteA 192.168.50.0/24 Site B 192.168.1.0/24 WAN <3rd party Layer 3 network with its own dynamic routing table> Site C 10.10.1.0/24

You would add an outbound policy to Site A sending all traffic for 10.10.1.0/24 via the PepVPN.

BensonLEI · October 14, 2019, 1:40am

Hi, Martin,

For my case ( no Site C ):

SiteA (learned by SpeedFusion)::
192.168.1.0 /24
192.168.10.0 /24

SiteB ( learned by SpeedFusion):
172.168.2.0 /24
172.168.20.0 /24

It works only for the following configuration:
Source: Any
Destination: PepVPN Profile, Tunnel2
Protocol: ……
Algorithm: Enforced
Enforced Connection: VPN: Tunnel 2

My configuration is as below:
Source: Any
Destination: IP network, 172.168.20.0 /24
Protocol: Any
Algorithm: Enforced,
Enforced Connection: VPN: Tunnel 2

It does not work, any issue ?

Thx

MartinLangmaid · October 14, 2019, 2:24am

And is the aim to send all traffic down one of the tunnels in a multi tunnel config between site a and site b?
Since you’re manipulating pepvpn traffic you need to have the outbound policy above the expert mode bar:

You’d need outbound policies on both ends so that traffic being sent in either direction between the routers uses the correct sub tunnel.

BensonLEI · October 14, 2019, 7:15pm

Hi, Martin & Dennis,

Great, it is definitely the answer we found.