To deploy the XA1400 Series in an environment that includes more than one provider connection with IPsec, you require a source IP address for each IPsec tunnel.
When you connect to a broadband provider such as cable modem, DSL, or LTE, the only routable IP interface is the one that is assigned by the provider (either through DHCP or statically). As a result, the Internet can only route the assigned subnet. You cannot deploy a routing protocol between the branch device and the provider modem.
When you connect two different providers to a branch device, each provider uses a different subnet. The XA1400 Series must apply a different source IP address for each IPsec tunnel.
The following options are available to configure a specific source IP address for each IPsec tunnel:
You must configure a VLAN, brouter, or CLIP IP address for the IPsec tunnel to use; this address must be in the same VRF as the tunnel.
You cannot delete the VLAN, brouter, or CLIP IP address if it is used as the static IPsec source IP.
You must disable IPsec on the logical interface before you configure an IPsec source IP.
The specified IP must be different than the global IPsec IP source address.
The specified IP can be the same as the management IP if you do not configure other logical IPsec interfaces with a source IP type of DHCP.
Multiple logical interfaces can use the same statically configured IPsec source IP.
You must enable DHCP on the management VLAN.
The co-existence mode, where both the management IP stack and the routing IP stack share the same IP address and default routes, must be present. For more information, see VLAN.
After you run the ipsec tunnel-source-address type dhcp command, the system imports the IP and VRF used by the management VLAN as the IPsec source IP on the logical interface.
The VRF can be different than the tunnel VRF.
You cannot delete the VLAN or modify its IP address if the IP address is used as the IPsec source IP.
The IPsec source IP type DHCP cannot be the same as the global IPsec source IP address or statically configured IP address.
After the system imports the DHCP IP address for use by IPsec, you can modify the management VLAN. For example, you can disable DHCP on the management VLAN, change the management VLAN ID, or delete the management VLAN.
After you save the configuration, the IP and VRF that the system imported for use by IPsec is saved to the configuration file using ipsec tunnel-source-ip type dhcp <IP_address> vrf <vrf_name>. After you reboot the switch, it loads the information from the configuration file and the IPsec tunnel IP address is no longer imported from the management VLAN.