IPSec VPN site to site with dual Wan

hmk

Hello,

I connected my site (site 1) with another company (site 2) with an IPSec Tunnel, my issue is that i want to keep the connection when my WAN1 is down, so i changed my configuration, i went into my VPN Gateway, then i changed "My Address", i removed the interface WAN1 and i put "0.0.0.0" in "Domain Name / IPV4", then i send the public IP of my WAN2 to the other company for them to add the IP into their peer gateway as secondary.

But when they did, the VPN connection became instable, it disconnect and reconnect or was very slow, so they remove the IP, they're saying that their configuration is fine, but i'm sure if mine is really fine too, it's the first time i do this kind of configuration with both IPSec and WAN Failover. i think the VPN tried to use both WAN at the same time, or maybe they did 2 tunnel i dont know but i need to be sure that my configuration is fine. it work fine with only WAN1, and my WAN fail over is working too, the only thing that i've changed is the interface in "My Address", do i need to change anything else ?

PeterUK

Does site 2 have another IP you could put in secondary?

PeterUK

Testing here locally if site 2 has one IP you can put it as secondary and on WAN1 and OPT you need to enable ping checker in interface to gateway or even to site 2 IP. Its take a good minute or 2 for it to switch.

hmk

Site 2 have only 1 IP, and i have ping checker in WAN1 and OPT for 8.8.8.8 for the internet fail over

Zyxel_Kevin

Hi @hmk, 
Greeting Forum, please kindly check you have set and enabled:
1)Peer ID: Any 
2)Put senconday IP at Site2
Please also refer the HandBook Page 214: "How to Configure IPSec VPN Failover"
If the issue still, we can have remote session to assist you
Thank you
Kevin

hmk

Thanks, peer ID is already at Any, and i don't manage site 2 router, i will see with them.
i read the page 214 but i don't get how the VPN Gateway will prioritize the interface WAN1 over the WAN2 if we put all interface in "my address"

PeterUK

I get the problem when WAN1 fails it goes to OPT (or WAN2) but when WAN1 is backup it stays on OPT until it fails.

You could add this to ideas but with the USG40 it might not get it

So a workaround could be to have OPT to a switch with ACL drop ARP on a schedule to focus it back to WAN1.

Zyxel_Kevin

Hi @hmk, 
You have to set Primary, Secondary addresses at site2 gateway. 
Once primary are unavailabe, site2 will send ike initial packets to Secondary then vpn work again.

If site2 is not Zyxel firewall, It may also be implemented to create two vpn profiles and use route-based VPN.
Thank you
Kevin

PeterUK

@Zyxel_Kevin I think the problem here is the site 2 only has one IP so you set both Primary and Secondary the same but when WAN1 goes down (no ARP to gateway) it goes to WAN2 (OPT) but when WAN1 is back up and working the VPN does not switch back to to WAN1

hmk

Thanks @Zyxel_Kevin but i don't manage site2's Router.
@PeterUK i don't think this is it because, the WAN1 is still UP when they add the second IP but as soon as they add the second IP the VPN connection is very bad, a lot of disconnect and it's very slow