IPSec VPN with Failover WAN

rfs3pa · ‎01-15-2025

I have two FG61Fs running 7.4.6 with a Dial-Up IPSec VPN between them. I recently added a second WAN connection for failover purposes. I use the link monitor to kill the static route with higher priority when my primary goes down. That works great.

For the VPN, I added a second tunnel bound to the backup WAN interface. Both IPSec interfaces are in a zone, and I use the zone in the policies. I cloned the static route from the original tunnel and changed the interface to the new backup tunnel and gave it a greater priority value than the original.

The screenshot below shows the remote side. This is what I see when on my primary WAN. If I unplug the primary WAN at the home office, the HomeOfficeTMO (backup) tunnel Phase 2 comes up - but I can't pass any traffic over it. If I manually disable the Static Route for the primary WAN tunnel on the Home Office, it starts to work. I thought that if the primary WAN tunnel was down that would take the route down.

Do I need to put a monitor on that? Or is there a better approach to this?

Thanks!

holotso1 · ‎01-15-2025

Depending on your firmware version and if you have SDWan setup, I would use that. Otherwise I would setup zones for the VPN interfaces and OSPF to share routes, detect link failure, and failover https://speedtest.vet/ .

adambomb1219 · ‎01-15-2025

Yup use SD-WAN

ciscorajeev · ‎01-15-2025

Yes, Using two WAN link load balance /redundancy IPsec with SDWAN zone is better option, u can use performance SLA with priority / weight.

as per your screen, may be firewall policy clone issue.use, for troubleshooting use some command

diagnose vpn tunnel list name TUNNEL_isp

diagnose sniffer packet any "host ip" etc

IPSec VPN with Failover WAN

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website