VPN LAN-to-LAN tunnel behind Fusion Hub


#1

Customer has a Fusion Hub on an Mobile vehicle with two bonded ISP providers. I am trying to setup a VPN business-to-business (peer) VPN tunnel. My VPN appliance is installed on the vehicle behind the Fusion Hub. I am told that we should be able to setup a VPN b2b tunnel. The Fusion Hub only has one VIP (public) IP address. How can a VPN b2b tunnel (peer-to-peer) be setup when I can’t assign a public accessible IP address on the VPN box that is in the vehicle. Was told the Fusion Hub forwards the IPSEC traffic, and it will work. But, I am not seeing the VPN tunnel establish. VPN box on mobile vehicle is “waiting” for the Phase 1 communications to complete. I am using Main mode for my VPN connection. Appears that the VPN traffic is not getting back from the Internet inbound to the VPN box behind the Fusion Hub.

Need help, is this possible? I don’t have access to the Fusion Hub. It is vendor provided.


#2

Hi, I think you’e going to have to do a quick sketch of the network topology for help on this one as I can’t untangle it easily from your description.

Its very unlikely that there is a FusionHub virtual appliance installed on the vehicle as there wouldn’t be much utility in that. Instead, reading between the lines, I suspect there is a MAX mobile Cellular router installed with a SpeedFusion VPN tunnel back to a FusionHub in the cloud that is providing bonding.

That cloud based Fusionhub will likely have a single public facing IP address.

If that’s the case, what are you trying to achieve with your VPN appliance? You say its installed on the vehicle? Are you looking to run an IPSEC VPN from your appliance over the bonded VPN via the Fusionhub to your 3rd party IPsec VPN target?

If so (but as yet, not fully aware of your requirement) I would suggest that a potentially easier topology to achieve would be to build an IPSEC VPN from the Cloud based FusionHub to your infrastructure and let the FusionHub manage onwards security and routing to the vehicle.


#3

Attached is a drawing from the vendor. The bottom left with the two cellular antennas is the ambulance. It is running a singular public virtual IP (VIP). The two cellular providers are bonded together. Most of the devices on the ambulance are connecting back to the vendor’s Cloud based services. But, there are a CT, CT scanner (laptop), and Toughbook laptop that need secure connectivity back to the hospital network. They will be behind the the IPSEC Remote device on the drawing. These three devices need secure direct access back to the hospital. They can NOT a VPN client connection. So, we are trying to install a VPN appliance on the ambulance, and setup a VPN LAN-to-LAN connection back the hospital.

This needs to be a LAN-to-LAN connection as the CT needs to have DICOM (peer-to-peer) connectivity back to our Imaging servers. The issue is that since there is only a single public IP on the ambulance, how can I setup a LAN-to-LAN tunnel back to the IPSEC on the ambulance that does not have its own IP address? I must use Main mode on the VPN tunnel, as Aggressive mode is considered unsecure by our Security department.