For Remote Office Connections, the VPN Gateway will negotiate with the AT&T VIG to establish a separate IPSec Security Association (SA) for each active LAN subnet including VLANS, cascaded networks (local routes), Loopback interfaces, and aliases. The AT&T VIG supports negotiating up to 128 SAs. The VPN Gateway can support up to a total of 250 SAs across all IPSec tunnels.

A network or VLAN is considered active when at least one physical Ethernet device has established link. When an active local network becomes inactive (all Ethernet ports within the local LAN subnet are inactive) the SA associated with that subnet and any cascaded networks and aliases will be deleted through an IPSec protocol delete message to the AT&T VIG. If the local LAN subnet becomes active again, a new SA will be negotiated with the AT&T VIG.

An additional IPSec SA is created with the VPN Gateway Internet address and is used for local VPN Gateway traffic to the AT&T VIG including the authentication, keep-alive flows and any IPSec traffic initiated by the VPN Gateway.

In this type of Remote Office connection it is the responsibility of the AT&T VIG to perform the BGP flows to the customer’s premise router on the behalf of the VPN Gateway. Due to enablement issues this is the preferred BGP solution.