- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: S2S Vpn
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
S2S Vpn
Hi,
Not sure to be on the right group... but let's try.
I try to create a s2s vpn between 2 clusters running R81.10 last HFA. Both have 2 internet link, and I want to have a HA between eachlink. It is more or less working, but not as I would like.
So, taking time to read the complete doc (no comment...), I see in the S2S VPN guide I have to add routing information with metric. But when I use the "set static-route", I can't set any metric.
Does, in this case, "metric" means "priority" or there is another way to configure the "metric" ?
Do I also have to define the probing with "set static-route xxxx ping" also ?
The idea is to have a complete HA solution, using a first link as primary and a second one as secondary.
Many thanks for your help.
Rgds,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"last HFA" is meaningless now or in the future since that will change.
Always include the specific JHF in use.
Yes priority means metric here.
set static-route xxx monitored-ip x.y.z.w should be correct.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using HFA110.
Currently the scope is simple. I have 2 clusters. CLA has one ISP (ISPA1). CLB,2 has 2 ISP (ISPB1, ISPB2).
On CLB ISP redundancy is applied without applying settings to VPN. So I have configured the Link selection on CLB to use only ISPB2, and route ISPA1 to ISPB2 (without set probing x.x.x.x/y on the cluster B members).
I have used Route probing, seems ISPB1 was still used for VPN.
Then set to Operating system Table, same result.
But I have checked the result with "Tunnel monitoring" and/or "vpn tu". Involved ISP was ISP1B.
When I check with tcpdump, it seems the right interface is used (no trafic on ethx, trafic on ethy).
If I have to use tcpdump to check, it is not funny at all.
Any idea ?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you're not applying ISP Redundancy to VPN and you ARE using VPN?
Possible this might cause the issues you're seeing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, this is the set up. Check box in ISP Redundandcy is cleared. Because we don't want to use same link for Internet access and VPN, except in case of failure.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem is, without that option being ticked, the underlying changes needed to make VPN work when failed over to the other ISP link will not be done.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You mean HA mode in Link Selection and Route probing does not work if ISP Redundancy is on with a clear box Apply to VPN ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want VPN to fail over to a different link with ISP Redundancy, that box must be checked.
Otherwise, it probably will not work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi PhoneBoy,
Following several test, you are right and check box has to be checked. Sad to learn that because that means you can not split traffic (internet / vpn) in an easy way. Target was to have one link "master" for internet and the other link "master" for VPN.
Guessing that if I have 4 isp, I could configure 2 for Internet and 2 for VPN. This should work but it is not in the current scope.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R82 should offer more flexibility in this area.
