Good day everyone,

I am trying to deploy a mobile branch office VPN with dual outbound connections, but I cannot get the VPN to form over the 2nd link when the other link is unavailable.

There is a centrally managed 1530 appliance at the remote side (running R81.10.17) and a centrally managed open server cluster running R81.20 at the main office. The SMS is behind this main office gateway.

The mobile VPN is in a transport truck style vehicle and uses a cellular connection with a static public IP for one connection. The vehicle is parked 90% of the time and to save bandwidth costs, we will have it connected in its garage to the corporate LAN at its location. This connection will have a static internal address. We'll call this LAN based connection the primary one.

I've configured the 1530 appliance  with 2 internet connections and have the LAN connection  configured as primary.  In SmartConsole, since its a 1530 I can't configure ISP redundancy but for VPN link selection, I have "Use Probing. Link redundancy mode: HA" with both static IPs listed for probing. The main IP for the object is the primary connection IP.

The main office gateway link selection is not configured for ISP redundancy and its VPN link selection is also defined as Use Probing with all of our static IPs listed that participate in our VPN tunnels.

I can establish the VPN tunnel successfully over the primary connection, but when I disconnect that one, the VPN tunnel doesn't re-establish over the secondary, even hours later. The secondary can pass outbound traffic to the internet so I know connectivity is there.

In the logs I can see dropped tunnel test packets from the remote side's secondary IP, with the error "According to the policy the packet should not have been decrypted". Both interfaces are configured on the gateway object as external interfaces.

Is ISP redundancy even the solution here or should I be looking at VTIs instead? I should add the LAN based connection doesn't need to be encrypted, but the cellular one definitely does.

I had also tried configuring the remote side as DAIP with a single internet connection and physically swapping cables into the WAN port but that didn't work very reliably either, and I dont want the users of the vehicle to be unplugging or moving cables. Just the one from the LAN into the vehicle is enough.

I've been through many scenarios in my head so I know asynchronous routing is something to watch out for  along with encryption domains. I thought the link selection would be the best solution since it would solve those concerns.

Thanks

Chris