NSR VPN and site-to-site config - Is there an easy way?

  • I have approximately 25 NS 5GT’s throughout out WAN and a NS25 at our corp office. The GTs all have route-based VPNs to the corp office and some inter-office site-to-sites as needed.

    I want to be able to have the Dialup users connect to their home office and route through that office’s connected VPNs with NSR. Some offices have many sales people that need to be able to connect, but will never hit the 10 tunnel limit for those GTs at any given time.
    I cannot set up GW/IKEs for every user due to the 5GT tunnel count limitations. I like the flexibility of Policy-Based Dialup VPNs in that I can have 25 different XAUTH users share one GW/IKE/Policy setup.

    Is there any way to get the best of both worlds? Minimal administration with shared VPN configs AND routing through the WAN?? Or am I overlooking something really simple for Policy Based Dialup users to be able to route?

    Any suggestions/insights would be greatly appreciated!!!

  • Given enough time to research, play, tweak, etc. I was able to do what I wanted. By adding an additional Zone with a tunnel interface gateway for the Dialup clients, I can now use simple routes and policies to allow bidirectional LAN and WAN access to these clients and have them share a single GW/IKE setup.