double fail-over WAN and VPN

Orad
Orad Posts: 16
Friend Collector
in Security
Hello,
We have 2 sites connected with VPN, ATP units on both locations.
Each site has 2 ISP connected for fail over, and fail over configured Trunk - LeastLoad First, Inbound+Outbound. Second ISP in passive.
I would like to have VPN working, no matter which provider fails.
What is the best way to realize that?
I saw this article 
How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN Concentrator – Zyxel Support Campus EMEA
In my case, when only 2 sites, and not 3, do i need to configure a concentrator or is adding Secondary IPs to VPN Gateway setup(on both ends) is enough?
Thank you

Best Answers

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,417  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited November 2021 Answer ✓
    Hi @Orad,

    You can find the topic "How to Create VTI and Configure VPN Failover with VTI
    " in the handbook.
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,417  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Answer ✓
    Hi @Orad,
    In this example, only two VPN Gateway are configured on each device: 
    HQ_wan1------BO_wan1
    HQ_wan2------BO_wan2
    If you need full redundancy in case HQ_wan1 and BO_wan2 are disconnected at the same time, you need to add extra two VPN Gateways, corresponding VPN tunnels and extra two VTI interfaces.
    HQ_wan1------BO_wan2
    HQ_wan2------BO_wan1

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,417  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited November 2021 Answer ✓
    Hi @Orad,

    You can find the topic "How to Create VTI and Configure VPN Failover with VTI
    " in the handbook.
  • Orad
    Orad Posts: 16
    Friend Collector
    thank you @Zyxel_Emily
    In handbook they create 2 VTIs, but if i understand correctly, i would need 4 VTIs on each side to get "full" redundancy?
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,417  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Answer ✓
    Hi @Orad,
    In this example, only two VPN Gateway are configured on each device: 
    HQ_wan1------BO_wan1
    HQ_wan2------BO_wan2
    If you need full redundancy in case HQ_wan1 and BO_wan2 are disconnected at the same time, you need to add extra two VPN Gateways, corresponding VPN tunnels and extra two VTI interfaces.
    HQ_wan1------BO_wan2
    HQ_wan2------BO_wan1
  • Orad
    Orad Posts: 16
    Friend Collector
    @Zyxel_Emily
    also, we tested it today and it does work, but time it takes to reconnect VPN is a bit longer than we expected. Which settings should i play with to control it?
    it took about a 4-5 minutes before tunnel connected.
    In trunk i have it set to Least Load First/Outbound. Should i change it to Spillover?
  • jonatan
    jonatan Posts: 198  Master Member
    5 Answers First Comment Friend Collector Seventh Anniversary
    Hi @Orad

    Try this tunnel :



  • Orad
    Orad Posts: 16
    Friend Collector
    thank you @jonatan
    but you just gave me more things to learn, and i mean it in a good way! :)
    now, from what i found, GRE would better maintain the connection, but VTI would be faster once connected? i know i'm oversimplifying it

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)