IPSec failover question

Kenren_Taisho · April 30, 2024, 09:04:34 AM

Hello.
I have a requirement to connect to an AWS network using a routed IPSec VPN.
I was given a parameter sheet to configure two IPSec tunnels having the second tunnel as the DR or failover.
In summary, I configured two IPSec tunnels, two far gateways, and two static routes pointing to the same VPN network.

Is it possible to achieve an automated fail-over? Currently, I can failover by manually switching the gateways/routes. Thanks in advance.

Monviech (Cedrik) · April 30, 2024, 09:56:38 AM

Have you tried out if you can use Gateway Monitoring and a Gateway Group for that?

Kenren_Taisho · April 30, 2024, 10:43:35 AM

Yes, I tried. It does not work with gateway groups. Here's what I noticed:

1. netstat -r shows that I only have 1 active route, regardless of the 2 configured static routes for the VPN network.
2. If one tunnel dies, the route does not change.
3. Failover works by manually changing the route to the working tunnel.

can this manual changing of route be automated?

Monviech (Cedrik) · April 30, 2024, 10:51:31 AM

I'm not really sure here. Maybe somebody else can pick this up or correct me.

I think a high availability IPSec setup needs more components.

- IPsec
- GRE over IPsec (so multicasts for dynamic routing protocols can work through the VPN tunnel)
- A dynamic routing protocol, so the routing table can change dynamically.

IPSec failover question

Kenren_Taisho

April 30, 2024, 09:04:34 AM

Monviech (Cedrik)

April 30, 2024, 09:56:38 AM #1

Kenren_Taisho

April 30, 2024, 10:43:35 AM #2

Monviech (Cedrik)

April 30, 2024, 10:51:31 AM #3