Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple VTI tunnels between sites on HA & multi-WAN routers

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 508 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Thale
      last edited by Thale

      I am currently working on this in a lab to try to prove if VTI will work for our production environment. We have two locations, both with HA and both with 2 WAN connections. In the lab, I have Site 1 WAN 1 connected to Site 2 WAN 1, and Site 1 WAN 2 connected to Site 2 WAN 2. We want to have routed traffic so that if Site 1 WAN 1 goes down, traffic between sites will switch to use the WAN2 tunnel with nearly no delay. I'm using BGP to dynamically route traffic.

      What I've found is that both tunnels work and both will pass traffic after setting up routes, etc. However, only one phase 1 will be connected at a time. If I click on the "Connect" for the 2nd tunnel, then the first tunnel disconnects. I was hoping to have both phase 1s active and let the routing protocol reroute traffic in case of an outage. Instead, there's downtime while phase 1 on the secondary WAN connects and the routing protocols then update.

      Is this normal, or am I missing something that will allow both phase 1s to be connected at the same time and minimize downtime when a provider fails?

      dotdashD 1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash @Thale
        last edited by

        @thale
        Something must be awry with the IPSec configuration. Getting two tunnels going should be the easy part, just use unique ip's on the vti connections and set one with a higher weight in BGP. The problems I've seen have been packet loss unless mss clamping is on, and a tunnel not re-establishing if the line is down for an extended period of time. What messages are you getting in the ipsec log when the second tunnel comes up?

        T 1 Reply Last reply Reply Quote 0
        • T
          Thale @dotdash
          last edited by

          @dotdash thanks for the feedback.

          Just to follow up on this in case it helps someone else, I did get this working. I had upgraded my lab routers to 2.6.0 (which it looks like I left out of my original message), and then restored a backup from an earlier version (2.4.5 I think). Either the upgrade or the restore of the previous version's backup seems to have caused this (or the combination). I did a completely fresh install of version 2.6.0 and manually reconfigured it, and I didn't have any more problems.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.