Fully redundancy multi IPSEC tunnels

Asekypl · ‎12-14-2024

I would ask you for a hint in reference to the scheme that I send below.

Is it possible to achieve the full redundancy of IPSec tunnels, not only between the classic site to site between Wan 1 Site A to Wan1 Site B and Wan2 Site A and to Wan2 Site B but also in the variant of the cross link connection if the failures have been connected at the same time alternating at the same time For example, with WAN 1 Site A to WAN 2 Site B and vice versa? From my opinion, the scheme shows that 8 IPSec site tunnels are needed, but how to set it so that regardless of the WAN connection failure there was always traffic between site a and site b, whether it goes use maybe with routing on OSPF, or SD WAN or Link monitor?

Best regards,

DPadula · ‎12-14-2024

Hi Asekypl,

You need to use network-id for the tunnels (check article). You will have 4 IPSec tunnel per Firewall, assuming you will have a similar scenario like the network diagram above.

You can use loopback address to setup a OSPF between both sites and have 4 routes on the routing table, each route using one of the IPSec tunnels to reach the other side. I hope I could clarify your questions.

Regards
DPadula

Fully redundancy multi IPSEC tunnels

Nominate a Forum Post for Knowledge Article Creation