topic Re: IPSec tunnel setup with ISP Redundancy at SMB appliance in Spark Firewall (SMB)

IPSec tunnel setup with ISP Redundancy at SMB appliance

CheckCheckM — Sat, 21 Jan 2023 17:33:15 GMT

Hello everyone,

Remote site, will have an appliance with one ISP. My sites has (two ISP at HA appliances), Target is to establish a VPN to the remote site using two ISP links from my side for redundancy.

if one isp fails from my site, automatically the tunnel will be established to the remote using another isp link.

i did not get any options exception from ha/loadbalancing connection type for remote site. Actually, i need to specify my site ISP links.

is there any options to setup? Thanks.

Re: IPSec tunnel setup with ISP Redundancy at SMB appliance

PhoneBoy — Sun, 22 Jan 2023 04:12:58 GMT

It doesn't create two tunnels (one with each ISP Link) but it will establish with whatever ISP is active.

Re: IPSec tunnel setup with ISP Redundancy at SMB appliance

CheckCheckM — Sun, 22 Jan 2023 05:40:47 GMT

Hello @PhoneBoy you mean two internet ports will not working simultaneously?

SMB appliance has two internet ports, so i'm planning to use these two ports as one for user internet access and another one for ipsec tunnel. thanks.

Re: IPSec tunnel setup with ISP Redundancy at SMB appliance

G_W_Albrecht — Sun, 22 Jan 2023 08:30:01 GMT

As you have different routable IPs from the ISPs, i would do HA ISP redundancy using 2 VPNs:

- ISP 1 with IP 1 is the default ISP for all traffic

- IP 1 builds VPN tunnel 1 to remote site

- ISP 2 with IP 2 is the HA ISP

- IP 2 builds VPN tunnel 2 to remote site

- only VPN 1 goes up !

This is the working config, until connection monitoring finds that ISP 1 is down:

- if ISP 1 goes down, VPN tunnel 1 goes down

- ISP 2 goes active, and now VPN tunnel 2 comes up

Routing works as both VPN tunnels can not be up together...

Re: IPSec tunnel setup with ISP Redundancy at SMB appliance

PhoneBoy — Mon, 23 Jan 2023 16:35:17 GMT

Yes, you can load balance between the two connections.
The only way I can see possibly forcing all traffic to the second ISP would be to have explicit routes defined for the remote encryption domain to go through the second ISP's nexthop only.

Re: IPSec tunnel setup with ISP Redundancy at SMB appliance

starmen2000 — Fri, 18 Aug 2023 22:48:30 GMT

But in that case, how the line change from vpn1 to vpn2 automatically, if vpn1 is down? How can I configure it? On smartconsole or on webui of SMB?

Re: IPSec tunnel setup with ISP Redundancy at SMB appliance

CheckCheckM — Sat, 19 Aug 2023 13:38:55 GMT

is your vpn remote site is different? or same remote site with different source WAN links? scenario pls. SMB is limitation based on scenario as my experience.

Re: IPSec tunnel setup with ISP Redundancy at SMB appliance

starmen2000 — Mon, 21 Aug 2023 00:42:42 GMT

It is wan site with 2 different wan interfaces. Both of interfaces are going to establish site to Site vpn with headquarter. If one wan interface goes down (vpn1 is down), traffic is going through vpn2 ( wan Interface 2).

Re: IPSec tunnel setup with ISP Redundancy at SMB appliance

CheckCheckM — Mon, 21 Aug 2023 15:31:17 GMT

If you have two wan interfaces which is tunneling to HO-site, you do not need to do any special configuration for tunnel failover. Because only one active default route with WAN link which has low priority will establish to HO-site. When current WAN link is failed, another default route with WAN link which has high priority WAN link will be active and tunnel will go with it.

(i'm just checkpoint SMB admin, not specialist)