[Vigor3900] What is IPsec Multiple SA (Security Association) for?

Support Model : Vigor2960
  • Tags :

When connecting to a VPN server that has multiple LAN network, Vigor Router has the IPsec "More" Remote Subnet feature which allows additional routes over the same IPsec tunnel without creating another IPsec SA (Security Association) for the additional remote networks. However, this mechanism works only between DrayTek Vigor Routers. When connecting to a non-DrayTek VPN server, which requires more IPsec SA for different LAN networks, Vigor3900, has Multiple SA feature since 1.3.0 version firmware, supports negotiating multiple IPSec SAs in IKE phase 2 to establish multiple IPsec tunnels to each subnet in just one VPN profile. This document introduces how to use the IPsec Multiple SA feature.

(This article applies to Vigor3900 and Vigor2960, for other models, please refer to the article here.)

 

Case 1: Vigor3900 has one local network while the VPN Peer has two

For example, Vigor3900's LAN network is 192.168.1.0/24.

VPN Peer's LAN1 network is 192.168.100.0/24 and LAN2 is 192.168.200.0/24.

1. In Basic tab, we may configure Vigor3900's LAN network (192.168.1.0/24) as Local IP/Subnet Mask and VPN Peer's LAN1 network (192.168.100.0/24) as Remote IP/ Subnet Mask.

   

2. In Multiple SA tab, input Vigor3900's LAN network for Local IP/ Subnet Mask again and VPN Peer's LAN2 network for Remote IP/ Subnet Mask.

   

3. We need to configure the similar Multiple SA setting, or create two IPsec VPN dial-in profiles on the remote site Vigor3900.

4. During IPsec connection establishment, Vigor3900 will create two IPsec SA. One is to encrypt the data between network 192.168.1.0/24 and 192.168.100.0/24, the other is to encrypt the data between network 192.168.1.0/24 and 192.168.200.0/24.

 

Case 2: Vigor3900 has two local networks while the VPN Peer has one

For example, Vigor3900's LAN1 network is 192.168.1.1/24 and LAN2 is 192.168.2.1/24.

VPN Peer's LAN network is 192.168.100.1/24.

1. In Basic Tab, we may configure Vigor3900's LAN1 network as Local IP/ Subnet Mask, and VPN Peer's LAN network (192.168.100.0/24) as Remote IP/ Subnet Mask.

   

2. Then in Multiple SA tab, input Vigor3900's LAN2 network and VPN Peer's LAN network.

   

3. We need to configure the similar Multiple SA setting, or create two IPsec VPN dial-in profiles on the remote site Vigor3900.

4. During IPsec connection establishment, Vigor3900 will create two IPsec SA. One is to encrypt the data between network 192.168.1.0/24 and 192.168.100.0/24, the other is to encrypt the data between network 192.168.2.0/24 and 192.168.100.0/24.

 

Case 3: Both Vigor3900 and the VPN Peer have two local networks

For example, Vigor3900's LAN1 network is 192.168.1.0/24 and LAN2 is 192.168.2.0/24. VPN Peer's LAN1 network is 192.168.100.0/24 and LAN2 network is 192.168.200.0/24.



1. In Basic tab, we may configure Vigor3900's LAN1 network as Local IP/ Subnet Mask, and VPN Peer's LAN1 network (192.168.100.0/24) as Remote IP/ Subnet Mask.

   

2. In Multiple SA tab, input the following three settings:

-Vigor3900's LAN2 network to VPN Peer's LAN1 network

-Vigor3900's LAN2 network to VPN Peer's LAN2 network

-Vigor3900's LAN1 network to VPN Peer's LAN2 network

   

3. During the IPsec connection establishment, Vigor3900 will create 4 IPsec SAs. One is to encrypt data between network 192.168.1.0/24 and 192.168.100.0/24; and the rest of them are to encrypt data between network 192.168.1.0/24 and 192.168.200.0/24, network 192.168.2.0/24 and 192.168.100.0/24, and between network 192.168.2.0/24 and network 192.168.200.0/24.

4. Of course, VPN Peer should have a corresponding configurations. Take another Vigor3900 acting as VPN Peer for example, on Basic tab, we may configure LAN network (192.168.100.0/24) as Local IP/ Subnet Mask, and the other Vigor3900's LAN network (192.168.1.0/24) as Remote IP/ Subnet Mask.

   

5. Then in Mutlple SA tab, input the following three settings:

   

6. After above configurations, we should see 4 IPsec connections between the two routers. The data transferring between different networks are encrypted with 4 different IPsec SAs.

   

7. And what could we do if we don't want local network 192.168.2.0/24 to access remote network 192.168.200.0/24? Just remove msa2 in Multiple SAs tab!

   
Was this article helpful ?
57[Vigor3900] What is IPsec Multiple SA (Security Association) for? has been viewed------ 57 ------times.