IPSec VPN site to site with dual Wan

Options
hmk
hmk Posts: 4
Friend Collector First Comment
Hello,

I connected my site (site 1) with another company (site 2) with an IPSec Tunnel, my issue is that i want to keep the connection when my WAN1 is down, so i changed my configuration, i went into my VPN Gateway, then i changed "My Address", i removed the interface WAN1 and i put "0.0.0.0" in "Domain Name / IPV4", then i send the public IP of my WAN2 to the other company for them to add the IP into their peer gateway as secondary.

But when they did, the VPN connection became instable, it disconnect and reconnect or was very slow, so they remove the IP, they're saying that their configuration is fine, but i'm sure if mine is really fine too, it's the first time i do this kind of configuration with both IPSec and WAN Failover. i think the VPN tried to use both WAN at the same time, or maybe they did 2 tunnel i dont know but i need to be sure that my configuration is fine. it work fine with only WAN1, and my WAN fail over is working too, the only thing that i've changed is the interface in "My Address", do i need to change anything else ?


All Replies

  • PeterUK
    PeterUK Posts: 2,868  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Does site 2 have another IP you could put in secondary?

  • PeterUK
    PeterUK Posts: 2,868  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2023
    Options

    Testing here locally if site 2 has one IP you can put it as secondary and on WAN1 and OPT you need to enable ping checker in interface to gateway or even to site 2 IP. Its take a good minute or 2 for it to switch.


  • hmk
    hmk Posts: 4
    Friend Collector First Comment
    Options
    Site 2 have only 1 IP, and i have ping checker in WAN1 and OPT for 8.8.8.8 for the internet fail over
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 799  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2023
    Options
    Hi @hmk
    Greeting Forum, please kindly check you have set and enabled:
    1)Peer ID: Any 
    2)Put senconday IP at Site2
    Please also refer the HandBook Page 214: "How to Configure IPSec VPN Failover"
    If the issue still, we can have remote session to assist you
    Thank you
    Kevin
  • hmk
    hmk Posts: 4
    Friend Collector First Comment
    Options
    Thanks, peer ID is already at Any, and i don't manage site 2 router, i will see with them.
    i read the page 214 but i don't get how the VPN Gateway will prioritize the interface WAN1 over the WAN2 if we put all interface in "my address"
  • PeterUK
    PeterUK Posts: 2,868  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2023
    Options

    I get the problem when WAN1 fails it goes to OPT (or WAN2) but when WAN1 is backup it stays on OPT until it fails.

    You could add this to ideas but with the USG40 it might not get it

    So a workaround could be to have OPT to a switch with ACL drop ARP on a schedule to focus it back to WAN1.


  • Zyxel_Kevin
    Zyxel_Kevin Posts: 799  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @hmk
    You have to set Primary, Secondary addresses at site2 gateway. 
    Once primary are unavailabe, site2 will send ike initial packets to Secondary then vpn work again.

    If site2 is not Zyxel firewall, It may also be implemented to create two vpn profiles and use route-based VPN.
    Thank you
    Kevin
  • PeterUK
    PeterUK Posts: 2,868  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2023
    Options

    @Zyxel_Kevin I think the problem here is the site 2 only has one IP so you set both Primary and Secondary the same but when WAN1 goes down (no ARP to gateway) it goes to WAN2 (OPT) but when WAN1 is back up and working the VPN does not switch back to to WAN1


  • hmk
    hmk Posts: 4
    Friend Collector First Comment
    Options
    Thanks @Zyxel_Kevin but i don't manage site2's Router.
    @PeterUK i don't think this is it because, the WAN1 is still UP when they add the second IP but as soon as they add the second IP the VPN connection is very bad, a lot of disconnect and it's very slow

Security Highlight