Is it possible to run two VPN tunnels from one source address to another site with multiple WANs?
That question is a bit long, so let me break it down in details.
I have two sites. HQ and Branch. HQ has two WAN connections for link balancing and redundancy. Call these WAN Primary and WAN Secondary. Branch has a single WAN connection.
In terms of configuring a site to site VPN link, is it possible to have HQ WAN Primary <----> Branch WAN and HQ WAN Secondary <----> Branch WAN tunnels running simultaneously? If so, what pitfalls or configuration issues should I be aware of to avoid?
Out of curiosity, how does the routing table decide which tunnel to use when moving traffic from Branch to HQ?
dotdash last edited by
The easy answer is no. It is possible, but IMHO, the complexity will outweigh the benefits. If you wanted to do this, you would have to use ipsec in VTI mode, then run a routing process on each end. If you want to dig in deeper, look up the recorded Hangout where jimp goes over VTI. It's a great starting point.
I'll take a look at that video then. I suspect that's going to involve using a routed intermediary network composed of virtual IPs. I've done similar things with other routing products before with great success, though it's not my first choice either.
Let me punt back to the bigger picture. I am trying to accomplish something specific, and there might be other/easier ways to do it.
Basically I'm looking for VPN tunnel resilience. HQ has WAN redundancy in that if one WAN link is down, the other takes over. What I'd like to accomplish is for my VPN tunnel to re-establish itself over the backup WAN if and when that situation comes up. I'm aware this might get iffy with my tunnels as currently configured, since they don't reauth ever, they just rekey, and I'd assume a reauth would be needed in this scenario, but I can deal with that later.
In any case, I don't actually need two tunnels running at once. One tunnel is fine if I can get it to hop to another WAN without intervention.