Saturday, February 29, 2020

(cisco) VPN tunnel to a loopback address already behind an encrypted tunnel

hi everyone, hoping someone has come up against this before and can give some advice as i haven't been able to find exactly the answer from searching.

i've got a cisco 880 series (the cpe) doing a tunnel to a hub (using ipsec+gre). the cpe then bgp peers to the hub, and advertises a /32 publicly reachable address, and thus has direct internet access via this method (underlying network is CGNAT'd) from a bgp originated default route. this works great, as basically a cheapo sdwan type setup (cpe gets a publicly reachable address whilst behind CGNAT'd networks, and can be made easily redundant with an extra tunnel or 2 via other networks like a 4g connection, dsl, etc..).

my question is... should it be possible to then run up an l2tp w/ipsec server on the cpe, via the /32 loopback address? i know typically you'd put a crypto map onto the interface directly facing the internet to watch for traffic - but in this case, the physical interface is behind CGNAT and would only see encrypted traffic coming in anyway.

is this even possible? can you put a crypto map on a tunnel interface, or even the loopback? i know there's a lot of overheads in this design, but that's not an issue

surely someone has done this before?



No comments:

Post a Comment