IPSec failover question

[Kenren_Taisho]

Hello.
I have a requirement to connect to an AWS network using a routed IPSec VPN.
I was given a parameter sheet to configure two IPSec tunnels having the second tunnel as the DR or failover.
In summary, I configured two IPSec tunnels, two far gateways, and two static routes pointing to the same VPN network.

Is it possible to achieve an automated fail-over? Currently, I can failover by manually switching the gateways/routes. Thanks in advance.

[Monviech (Cedrik)]

Have you tried out if you can use Gateway Monitoring and a Gateway Group for that?

[Kenren_Taisho]

Yes, I tried. It does not work with gateway groups. Here's what I noticed:

1. netstat -r shows that I only have 1 active route, regardless of the 2 configured static routes for the VPN network.
2. If one tunnel dies, the route does not change.
3. Failover works by manually changing the route to the working tunnel.

can this manual changing of route be automated?

[Monviech (Cedrik)]

I'm not really sure here. Maybe somebody else can pick this up or correct me.

I think a high availability IPSec setup needs more components.

- IPsec
- GRE over IPsec (so multicasts for dynamic routing protocols can work through the VPN tunnel)
- A dynamic routing protocol, so the routing table can change dynamically.