Create a Post
Showing results for 
Search instead for 
Did you mean: 

ISP Redundancy and site-to-site VPN

Currently I have 3 external interfaces without ISP Redundancy. Each external interface has its own site-to-site VPN tunnels. They are implemented by doing the following:

1. I give different gateway IPs on my end to different organizations.

2. I add static routes for each peer IP in Gaia OS.

3. VPN Link Selection is on "Use probing. Link redundancy mode:" --> "High Availability"; "Outgoing Route Selection" --> "Operating system routing table".

I am running R80.20 on a VRRP setup. No PBR. All tunnels are running properly.

Now I am adding a 4th external interface, which happenes to be an Internet circuit. I plan to configure ISP Redundancy by adding one of the 3 external interfaces as Primary ISP and the 4th interface as Secondary ISP, and set "Redundancy mode" to "Load sharing". I plan to deselect "Apply settings to VPN traffic" since I don't want to mess up all existing VPN tunnels.

Question: how do I make sure the existing VPN tunnels on the primary ISP will stay with the primary ISP, and will never shift to the secondary ISP? By the way, all peers are non-Checkpoint, and I will not give the gateway IP of my secondary ISP to any peers. Thank you in advance.

0 Kudos
1 Reply

My understanding is that should should continue to work as is, primarily because you have disabled "Apply settings to VPN traffic."