IPSec VPN with Failover WAN

Forum|Forum|1 year ago
January 15, 2025
2 replies
1944 views

I have two FG61Fs running 7.4.6 with a Dial-Up IPSec VPN between them. I recently added a second WAN connection for failover purposes. I use the link monitor to kill the static route with higher priority when my primary goes down. That works great.

For the VPN, I added a second tunnel bound to the backup WAN interface. Both IPSec interfaces are in a zone, and I use the zone in the policies. I cloned the static route from the original tunnel and changed the interface to the new backup tunnel and gave it a greater priority value than the original.

The screenshot below shows the remote side. This is what I see when on my primary WAN. If I unplug the primary WAN at the home office, the HomeOfficeTMO (backup) tunnel Phase 2 comes up - but I can't pass any traffic over it. If I manually disable the Static Route for the primary WAN tunnel on the Home Office, it starts to work. I thought that if the primary WAN tunnel was down that would take the route down.

Do I need to put a monitor on that? Or is there a better approach to this?

Thanks!

holotso1

New Member

Depending on your firmware version and if you have SDWan setup, I would use that. Otherwise I would setup zones for the VPN interfaces and OSPF to share routes, detect link failure, and failover https://speedtest.vet/ .