Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routed IPSEC with multi-wan and HA

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 300 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Thale
      last edited by Thale

      We currently have IPSEC tunnels connecting our various locations. Most locations have dual WAN connections and HA. We want to change to routed IPSEC using OSPF so that we can route internal communications between the various locations in the case of a partial outage at one of the locations. It sounds weird, but we do occasionally have situations where site B loses communication with site A but can still talk to site C, and site A and site C are also talking fine.

      Although I haven't found anything that specifically talks through the configuration in this scenario, it sounds like phase 1 would still use CARP WAN addresses for the dual-WAN, and the VTI phase 2 would be set up separate per router.

      Where I'm not sure of the best route is when it comes to the phase 2s. If I'm understanding this correctly, we should have a separate phase 2 defined for each link, and we can't use anything like a CARP address to do it. Thus, each link will need to be defined between individual routers (not sites). So site A would have two phase 2 VTIs from router 1 going to both router 1 and router 2 at site B, and site A router 2 would also have a separate phase 2 defined to each router at site B. Then we would repeat for the 2nd router at site B.

      Is that correct? Is there some better way to configure VTI for HA and multi-WAN? Part of me feels like defining 4 links per pair of sites is too much so I must be thinking about it wrong.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.