Routed IPSEC with multi-wan and HA

  • We currently have IPSEC tunnels connecting our various locations. Most locations have dual WAN connections and HA. We want to change to routed IPSEC using OSPF so that we can route internal communications between the various locations in the case of a partial outage at one of the locations. It sounds weird, but we do occasionally have situations where site B loses communication with site A but can still talk to site C, and site A and site C are also talking fine.

    Although I haven't found anything that specifically talks through the configuration in this scenario, it sounds like phase 1 would still use CARP WAN addresses for the dual-WAN, and the VTI phase 2 would be set up separate per router.

    Where I'm not sure of the best route is when it comes to the phase 2s. If I'm understanding this correctly, we should have a separate phase 2 defined for each link, and we can't use anything like a CARP address to do it. Thus, each link will need to be defined between individual routers (not sites). So site A would have two phase 2 VTIs from router 1 going to both router 1 and router 2 at site B, and site A router 2 would also have a separate phase 2 defined to each router at site B. Then we would repeat for the 2nd router at site B.

    Is that correct? Is there some better way to configure VTI for HA and multi-WAN? Part of me feels like defining 4 links per pair of sites is too much so I must be thinking about it wrong.

Log in to reply