Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CheckCheckM
Explorer
Jump to solution

IPSec tunnel setup with ISP Redundancy at SMB appliance

Hello everyone,

Remote site, will have an appliance with one ISP. My sites has (two ISP at HA appliances), Target is to establish a VPN to the remote site using two ISP links from my side for redundancy.

if one isp fails from my site, automatically the tunnel will be established to the remote using another isp link.

i did not get any options exception from ha/loadbalancing connection type for remote site. Actually, i need to specify my site ISP links.

is there any options to setup? Thanks.

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend

As you have different routable IPs from the ISPs, i would do HA ISP redundancy using 2 VPNs:

- ISP 1 with IP 1 is the default ISP for all traffic

- IP 1 builds VPN tunnel 1 to remote site

- ISP 2 with IP 2 is the HA ISP

- IP 2 builds VPN tunnel 2 to remote site

- only VPN 1 goes up !

This is the working config, until connection monitoring finds that ISP 1 is down:

- if ISP 1 goes down, VPN tunnel 1 goes down

- ISP 2 goes active, and now VPN tunnel 2 comes up

Routing works as both VPN tunnels can not be up together...

CCSE CCTE CCSM SMB Specialist

View solution in original post

(1)
4 Replies
PhoneBoy
Admin
Admin

It doesn't create two tunnels (one with each ISP Link) but it will establish with whatever ISP is active.

0 Kudos
(1)
CheckCheckM
Explorer

Hello  @PhoneBoy  you mean two internet ports will not working simultaneously?

SMB appliance has two internet ports, so i'm planning to use these two ports as one for user internet access and another one for ipsec tunnel.  thanks.

0 Kudos
PhoneBoy
Admin
Admin

Yes, you can load balance between the two connections.
The only way I can see possibly forcing all traffic to the second ISP would be to have explicit routes defined for the remote encryption domain to go through the second ISP's nexthop only.

G_W_Albrecht
Legend
Legend

As you have different routable IPs from the ISPs, i would do HA ISP redundancy using 2 VPNs:

- ISP 1 with IP 1 is the default ISP for all traffic

- IP 1 builds VPN tunnel 1 to remote site

- ISP 2 with IP 2 is the HA ISP

- IP 2 builds VPN tunnel 2 to remote site

- only VPN 1 goes up !

This is the working config, until connection monitoring finds that ISP 1 is down:

- if ISP 1 goes down, VPN tunnel 1 goes down

- ISP 2 goes active, and now VPN tunnel 2 comes up

Routing works as both VPN tunnels can not be up together...

CCSE CCTE CCSM SMB Specialist
(1)