double fail-over WAN and VPN

Orad · November 2021

Hello,
We have 2 sites connected with VPN, ATP units on both locations.
Each site has 2 ISP connected for fail over, and fail over configured Trunk - LeastLoad First, Inbound+Outbound. Second ISP in passive.
I would like to have VPN working, no matter which provider fails.
What is the best way to realize that?
I saw this article
How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN Concentrator – Zyxel Support Campus EMEA
In my case, when only 2 sites, and not 3, do i need to configure a concentrator or is adding Secondary IPs to VPN Gateway setup(on both ends) is enough?
Thank you

Zyxel_Emily · November 2021

Hi @Orad,

You can find the topic "How to Create VTI and Configure VPN Failover with VTI

" in the handbook.

Zyxel_Emily · December 2021

Hi @Orad,

In this example, only two VPN Gateway are configured on each device:

HQ_wan1------BO_wan1

HQ_wan2------BO_wan2

If you need full redundancy in case HQ_wan1 and BO_wan2 are disconnected at the same time, you need to add extra two VPN Gateways, corresponding VPN tunnels and extra two VTI interfaces.

HQ_wan1------BO_wan2

HQ_wan2------BO_wan1

Orad · December 2021

thank you @Zyxel_Emily
In handbook they create 2 VTIs, but if i understand correctly, i would need 4 VTIs on each side to get "full" redundancy?

Orad · December 2021

@Zyxel_Emily
also, we tested it today and it does work, but time it takes to reconnect VPN is a bit longer than we expected. Which settings should i play with to control it?
it took about a 4-5 minutes before tunnel connected.
In trunk i have it set to Least Load First/Outbound. Should i change it to Spillover?