I have a question about an IPSEC with VTI.
Freshman Member
I have a question about an IPSEC with VTI.
I have two routers (USG FLEX 700H AND USG FLEX 500) with dual wan
I have made an IPSEC from ROUTER-1 WAN 1 to ROUTER-2 WAN 1
I have made an IPSEC from ROUTER-1 WAN 2 to ROUTER-2 WAN 2
Remote LAN Router 1: 192.168.100.0/24
Remote LAN Router 2: 192.168.1.0/24
Router 1:
VTI1(via IPSEC via WAN1): 10.10.100.1
VTI2(via IPSEC via WAN2): 10.10.101.2
Router 2:
VTI1(via IPSEC via WAN1): 10.10.1.1
VTI2(via IPSEC via WAN2): 10.10.1.2
The tunnels are online. The VTI is also working. I can do a PING from client to the other subnet.
Now the question: If I turn on Connectivity Check to remote VTI address or to remote subnet address, the VTI goes dead.
The intention is that if the first IPSEC goes offline, there is an automatic failover to the 2nd IPSEC.
How can I get that working?
Accepted Solution
-
Router 1:
VTI1(via IPSEC via WAN1): 10.10.100.1
VTI2(via IPSEC via WAN2): 10.10.101.2Router 2:
VTI1(via IPSEC via WAN1): 10.10.1.1
VTI2(via IPSEC via WAN2): 10.10.1.2Your VTIs are Router1-WAN1 <> Router2-WAN1 and Router1-WAN2 <> Router2-WAN2?
If you set
Router 1:
VTI1(via IPSEC via WAN1): 10.10.100.1
VTI2(via IPSEC via WAN2): 10.10.101.1
Router 2:
VTI1(via IPSEC via WAN1): 10.10.100.2
VTI2(via IPSEC via WAN2): 10.10.101.2
and point connectivity check on the other side, does it fails?
0
Ally Member
All Replies
-
So the ping check is on FLEX 500 due to 700H not having this yet
So for the ping to work the IP you should ping the IP in VPN settings at the bottom VTI Setting Local IP with a firewall rule From zone of your VTI to Zywall
0 -
I don't think that is possible in the VPN settings. When using a VTI tunnel, the 'Connectivity Check' option is not visible. It is only available for the 'Site-to-Site' option, but I am using the 'VPN Tunnel Interface' option.
If I activate the Connectivity Check on the VTI, the VTI goes down. When I check the log on the remote router, I don’t see any message about ping blocking.
0 -
Router 1:
VTI1(via IPSEC via WAN1): 10.10.100.1
VTI2(via IPSEC via WAN2): 10.10.101.2Router 2:
VTI1(via IPSEC via WAN1): 10.10.1.1
VTI2(via IPSEC via WAN2): 10.10.1.2Your VTIs are Router1-WAN1 <> Router2-WAN1 and Router1-WAN2 <> Router2-WAN2?
If you set
Router 1:
VTI1(via IPSEC via WAN1): 10.10.100.1
VTI2(via IPSEC via WAN2): 10.10.101.1
Router 2:
VTI1(via IPSEC via WAN1): 10.10.100.2
VTI2(via IPSEC via WAN2): 10.10.101.2
and point connectivity check on the other side, does it fails?
0 -
Yes, this works. Great. Thanks for the help!
0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 291 USG FLEX H Series
- 280 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 253 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 75 Security Highlight
