Skip to main content
gzarini
gzarini
New Member
November 11, 2015
Question

IPSEC VPN for mpls failver.

  • November 11, 2015
  • 1 reply
  • 3276 views

Hi, i have a little issue on setting up my network.

I have a MPLS network provided by an isp. This network has a HQ and 3 branches.

On the short time we're going to move our app servers to a dc, but keep in HQ AD/DNS/Fileserver.

I need to create an ipsec between branches and HQ to fordward traffic in case the mpls fails.

I need to route 3 networks between each branch and HQ, here is where i have my doubts.

Since i can only use static routes, i have a problem on how to handle traffic when the mpls is down.

I thought about setting up a dgd on branches to check connectivity through MPLS and send traffic over vpn in case MPLS fails.

I understand that what FG does when a dgd is detected is stop sending traffic through that interface. On the HQ, how can i set up a dgd on any kind of detection to check that the other side is unreachable?.

I don't think i can use a dgd on HQ because i need to check that three branches are down, but only one can be unaccesible.

I could really use some help.

 

Regards.

    1 reply

    gschmitt
    gschmitt
    New Member
    November 16, 2015

    Uhm I don't see the problem.

     

    Make sure the Advanced Routing Feature is enabled.

    Add two Static Routes. Destiation IP/Mask of the remote Subnet

    Device: MPLS Connection / IPsec Tunnel

    Gateway: for the MPLS Connection / IPsec Tunnel doesn't need one

    Distance: MPLS: 10 / IPSec 11

     

    go to Router > Static > Settings

    Create two Link Health Monitors

    Name: Irrelevant

    Interface: MPLS / IPSec

    Gateway: MPLS As needed / IPSec 0.0.0.0

     

    Health Check Ping

    Server: MPLS Gateway (or FGT Interface)

    Check Update Routing Table when Gateway Detection Status Changes

     

    gzarini
    gzariniAuthor
    New Member
    November 16, 2015

    HI, thanks for the reply.

    I can't do that since i only have one interface connecting to the mpls.

    If i do that when one site is down, automatically the rest will lose connection.

    In branches that's what i did, but in HQ, i believe the updates have to be manual. This problem solves with the implementation of a routing protocol, which i can't since my isp won't do it.

     

    Regards.

    Terms & ConditionsAccessibility statement