Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
BikeMan
Contributor

S2S Vpn

Hi,

Not sure to be on the right group... but let's try.

I try to create a s2s vpn between 2 clusters running R81.10 last HFA. Both have 2 internet link, and I want to have a HA between eachlink. It is more or less working, but not as I would like.

So, taking time to read the complete doc (no comment...), I see in the S2S VPN guide I have to add routing information with metric. But when I use the "set static-route", I can't set any metric.

Does, in this case, "metric" means "priority" or there is another way to configure the "metric" ? 

Do I also have to define the probing with "set static-route xxxx ping" also ?

 

The idea is to have a complete HA solution, using a first link as primary and a second one as secondary.

 

Many thanks for your help.

 

Rgds,

 

0 Kudos
9 Replies
PhoneBoy
Admin
Admin

"last HFA" is meaningless now or in the future since that will change.
Always include the specific JHF in use.

Yes priority means metric here.
set static-route xxx monitored-ip x.y.z.w should be correct.

0 Kudos
BikeMan
Contributor

Using HFA110.

 

Currently the scope is simple. I have 2 clusters. CLA has one ISP (ISPA1). CLB,2 has 2 ISP (ISPB1, ISPB2).

On CLB ISP redundancy is applied without applying settings to VPN. So I have configured the Link selection on CLB to use only ISPB2, and route ISPA1 to ISPB2 (without set probing x.x.x.x/y on the cluster B members).

I have used Route probing, seems ISPB1 was still used for VPN.

Then set to Operating system Table, same result.

But I have checked the result with "Tunnel monitoring" and/or "vpn tu". Involved ISP was ISP1B.

When I check with tcpdump, it seems the right interface is used (no trafic on ethx, trafic on ethy).

If I have to use tcpdump to check, it is not funny at all.

Any idea ?

Thanks.

0 Kudos
PhoneBoy
Admin
Admin

So you're not applying ISP Redundancy to VPN and you ARE using VPN?
Possible this might cause the issues you're seeing.

0 Kudos
BikeMan
Contributor

Yes, this is the set up. Check box in ISP Redundandcy is cleared. Because we don't want to use same link for Internet access and VPN, except in case of failure.

0 Kudos
PhoneBoy
Admin
Admin

Problem is, without that option being ticked, the underlying changes needed to make VPN work when failed over to the other ISP link will not be done.

0 Kudos
BikeMan
Contributor

You mean HA mode in Link Selection and Route probing does not work if ISP Redundancy is on with  a clear box Apply to VPN ?

0 Kudos
PhoneBoy
Admin
Admin

If you want VPN to fail over to a different link with ISP Redundancy, that box must be checked.
Otherwise, it probably will not work.

0 Kudos
BikeMan
Contributor

Hi PhoneBoy,

Following several test, you are right and check box has to be checked. Sad to learn that because that means you can not split traffic (internet / vpn) in an easy way. Target was to have one link "master" for internet and the other link "master" for VPN.

Guessing that if I have 4 isp, I could configure 2 for Internet and 2 for VPN. This should work but it is not in the current scope. 

0 Kudos
PhoneBoy
Admin
Admin

R82 should offer more flexibility in this area.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events