Failover IPSec tunnels with Gateway Groups

  • We have 2 locations and at each location we have a cable and backup T1 connection, both with static IP's.

    Gateway groups have been created at both sites, configured as a failover (Tier1, Tier2).

    We then have a tunnel at each location from gateway group to other location 'default gateway'. We have a second tunnel that's supposed to be as a failover from the gateway group to the 'backup gateway'.

    The way it was guessed to be working is that when one site failed over for whatever reason, the tunnel would disconnect and the backup tunnel would connect instead.

    This does work, however when the Tier 1 gateway is back online, the VPN tunnel doesn't disconnect from the backup and connect back to the Tier 1 gateway.

    I don't know if this is being done according to best practices. I've read some things about configuring dynamic DNS for this but was hoping not to go that route unless it's a requirement.

    What would the best way be to configure tunnel(s) for HA or Failover? Is it dynamic DNS, or do we have other options with static IP's?

  • Rebel Alliance Developer Netgate

    You would need one of two things:

    1. Setup a Dynamic DNS hostname using the same failover group as the IPsec local interface. Use a single tunnel with the other side using that Dynamic DNS address for the peer. Do the same on the remote end. This works, but can be slow to respond. Because of how DNS TTLs and timing it could be several minutes before the tunnel recovers.


    1. Use VTI mode, keep two tunnels up at all times, and use a dynamic routing protocol to decide which tunnel will have traffic routed across. This fails over much faster, but is a bit more involved to setup.

    Both of those have been discussed in numerous threads here on the forum, search around a bit and you're certain to find enough information to guide you either way.

Log in to reply