Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CheckCheckM
Participant
Jump to solution

IPSec tunnel setup with ISP Redundancy at SMB appliance

Hello everyone,

Remote site, will have an appliance with one ISP. My sites has (two ISP at HA appliances), Target is to establish a VPN to the remote site using two ISP links from my side for redundancy.

if one isp fails from my site, automatically the tunnel will be established to the remote using another isp link.

i did not get any options exception from ha/loadbalancing connection type for remote site. Actually, i need to specify my site ISP links.

is there any options to setup? Thanks.

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

As you have different routable IPs from the ISPs, i would do HA ISP redundancy using 2 VPNs:

- ISP 1 with IP 1 is the default ISP for all traffic

- IP 1 builds VPN tunnel 1 to remote site

- ISP 2 with IP 2 is the HA ISP

- IP 2 builds VPN tunnel 2 to remote site

- only VPN 1 goes up !

This is the working config, until connection monitoring finds that ISP 1 is down:

- if ISP 1 goes down, VPN tunnel 1 goes down

- ISP 2 goes active, and now VPN tunnel 2 comes up

Routing works as both VPN tunnels can not be up together...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

(1)
8 Replies
PhoneBoy
Admin
Admin

It doesn't create two tunnels (one with each ISP Link) but it will establish with whatever ISP is active.

0 Kudos
(1)
CheckCheckM
Participant

Hello  @PhoneBoy  you mean two internet ports will not working simultaneously?

SMB appliance has two internet ports, so i'm planning to use these two ports as one for user internet access and another one for ipsec tunnel.  thanks.

0 Kudos
PhoneBoy
Admin
Admin

Yes, you can load balance between the two connections.
The only way I can see possibly forcing all traffic to the second ISP would be to have explicit routes defined for the remote encryption domain to go through the second ISP's nexthop only.

G_W_Albrecht
Legend Legend
Legend

As you have different routable IPs from the ISPs, i would do HA ISP redundancy using 2 VPNs:

- ISP 1 with IP 1 is the default ISP for all traffic

- IP 1 builds VPN tunnel 1 to remote site

- ISP 2 with IP 2 is the HA ISP

- IP 2 builds VPN tunnel 2 to remote site

- only VPN 1 goes up !

This is the working config, until connection monitoring finds that ISP 1 is down:

- if ISP 1 goes down, VPN tunnel 1 goes down

- ISP 2 goes active, and now VPN tunnel 2 comes up

Routing works as both VPN tunnels can not be up together...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
(1)
starmen2000
Collaborator
Collaborator

But in that case, how the line change from vpn1 to vpn2 automatically, if vpn1 is down? How can I configure it? On smartconsole or on webui of SMB?

0 Kudos
CheckCheckM
Participant

is your vpn remote site is different? or same remote site with different source WAN links? scenario pls. SMB is limitation based on scenario as my experience.

0 Kudos
starmen2000
Collaborator
Collaborator

It is wan site with 2 different wan interfaces. Both of interfaces are going to establish site to Site vpn with headquarter. If one wan interface goes down (vpn1 is down), traffic is going through vpn2 ( wan Interface 2).

0 Kudos
CheckCheckM
Participant

If you have two wan interfaces which is tunneling to HO-site, you do not need to do any special configuration for tunnel failover. Because only one active default route with WAN link which has low priority will establish to HO-site. When current WAN link is failed, another default route with WAN link which has high priority WAN link will be active and tunnel will go with it.

 

(i'm just checkpoint SMB admin, not specialist)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events