VPN IPSEC REDUNDANT WAN1 WAN2
Freshman Member
All Replies
-
You can use route-based IPSec VPN tunnel interfaces to build a load balance or failover Trunk.
1. Build 4 IPSec VTI tunnel and interface,
USG A:wan1 - USG B:wan1 -> vti1
USG A:wan1 - USG B:wan2 -> vti2
USG A:wan2 - USG B:wan1 -> vti3
USG A:wan2 - USG B:wan2 -> vti4
You can refer this KB, How can I configure IPSec site-to-site VPN by using VTI
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015634&lang=EN
2. Add VTI interface into a Trunk
Note:
you need to configure connectivity check in each VTI interface first. To ping the peer vti interface ip address. So that system know if the tunnel is good or not.
(1) go to CONFIGURATION > Interface > Trunk > User Configuration > Add Trunk
(2) add vti1 ~ vti4 as active interface
3. Add policy route
Source: USG A subnets
Destination: USG B subnets
Next hop: the trunk you create in step 2
SNAT: none
The same concept to configure the USG B.
1 -
Thanks for the reply.
It is possible to do this without VTI.
Thank you
0 -
Hi @BlueTeam
VIT interface is required.
The traffic redundancy is controlled by “Trunk” setting.
It controls load balancing algorithm (WRR/LLF/Spilover) on your VPN tunnel interfaces.
0
Master Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
