topic Re: S2S Vpn in Firewall and Security Management

S2S Vpn

BikeMan — Thu, 19 Oct 2023 07:46:53 GMT

Hi,

Not sure to be on the right group... but let's try.

I try to create a s2s vpn between 2 clusters running R81.10 last HFA. Both have 2 internet link, and I want to have a HA between eachlink. It is more or less working, but not as I would like.

So, taking time to read the complete doc (no comment...), I see in the S2S VPN guide I have to add routing information with metric. But when I use the "set static-route", I can't set any metric.

Does, in this case, "metric" means "priority" or there is another way to configure the "metric" ?

Do I also have to define the probing with "set static-route xxxx ping" also ?

The idea is to have a complete HA solution, using a first link as primary and a second one as secondary.

Many thanks for your help.

Rgds,

Re: S2S Vpn

PhoneBoy — Thu, 19 Oct 2023 20:10:27 GMT

"last HFA" is meaningless now or in the future since that will change.
Always include the specific JHF in use.

Yes priority means metric here.
set static-route xxx monitored-ip x.y.z.w should be correct.

Re: S2S Vpn

BikeMan — Wed, 25 Oct 2023 14:48:46 GMT

Using HFA110.

Currently the scope is simple. I have 2 clusters. CLA has one ISP (ISPA1). CLB,2 has 2 ISP (ISPB1, ISPB2).

On CLB ISP redundancy is applied without applying settings to VPN. So I have configured the Link selection on CLB to use only ISPB2, and route ISPA1 to ISPB2 (without set probing x.x.x.x/y on the cluster B members).

I have used Route probing, seems ISPB1 was still used for VPN.

Then set to Operating system Table, same result.

But I have checked the result with "Tunnel monitoring" and/or "vpn tu". Involved ISP was ISP1B.

When I check with tcpdump, it seems the right interface is used (no trafic on ethx, trafic on ethy).

If I have to use tcpdump to check, it is not funny at all.

Any idea ?

Thanks.

Re: S2S Vpn

PhoneBoy — Thu, 26 Oct 2023 04:02:16 GMT

So you're not applying ISP Redundancy to VPN and you ARE using VPN?
Possible this might cause the issues you're seeing.

Re: S2S Vpn

BikeMan — Thu, 26 Oct 2023 06:47:48 GMT

Yes, this is the set up. Check box in ISP Redundandcy is cleared. Because we don't want to use same link for Internet access and VPN, except in case of failure.

Re: S2S Vpn

PhoneBoy — Thu, 26 Oct 2023 16:18:22 GMT

Problem is, without that option being ticked, the underlying changes needed to make VPN work when failed over to the other ISP link will not be done.

Re: S2S Vpn

BikeMan — Thu, 26 Oct 2023 18:32:37 GMT

You mean HA mode in Link Selection and Route probing does not work if ISP Redundancy is on with a clear box Apply to VPN ?

Re: S2S Vpn

PhoneBoy — Thu, 26 Oct 2023 21:01:58 GMT

If you want VPN to fail over to a different link with ISP Redundancy, that box must be checked.
Otherwise, it probably will not work.

Re: S2S Vpn

BikeMan — Thu, 14 Dec 2023 08:49:45 GMT

Hi PhoneBoy,

Following several test, you are right and check box has to be checked. Sad to learn that because that means you can not split traffic (internet / vpn) in an easy way. Target was to have one link "master" for internet and the other link "master" for VPN.

Guessing that if I have 4 isp, I could configure 2 for Internet and 2 for VPN. This should work but it is not in the current scope.

Re: S2S Vpn

PhoneBoy — Fri, 15 Dec 2023 00:07:56 GMT

R82 should offer more flexibility in this area.