Description
This article describes how to Provide redundancy when there is more than one VPN to the same remote destination configure a higher Administrative Distance in the primary route to the static route of the primary VPN.
Solution
Routing to subnet 192.168.1.0/24 is available through "VPN1" and "VPN2", "VPN1" has a higher Administrative Distance (10) so the route through "VPN2" is inactive. If "VPN1" fails, its route disappears from the Active Routing Table and the route through "VPN2" comes up.
Two VPNs with the same Remote Destination IP (10.9.9.1):
config vpn ipsec phase1-interface
edit VPN1
set interface <wan_interface>
set keylife 28800
set peertype any
set proposal aes128-sha1
set dpd on-idle
set comments ""
set dhgrp 2
set remote-gw 10.9.9.l
set psksecret ENC
set dpd-retryinterval 5
next
config vpn ipsec phase1-interface
edit VPN2
set interface <wan_interface>
set keylife 28800
set peertype any
set proposal aes128-sha1
set dpd on-idle
set comments ""
set dhgrp 2
set remote-gw 10.9.9.l
set psksecret ENC
set dpd-retryinterval 5
next
config router static
edit <id>
set dst 192.168.1.0 255.255.255.0
set device "VPN1"
set distance 10
next
edit <id>
set dst 192.168.1.0 255.255.255.0
set device "VPN2"
set distance 11
next
Reference: Redundant route-based VPN configuration example
Note: Versions 5.0 up to 6.4 are out of engineering support. So these commands might be different on higher versions. Consider upgrading the firmware level on the device to a supported version (7.0 up to 7.6). Here check the firmware path and compatibility depending on the hardware: Upgrade tool.
