Hi,
We have this test scenario:
On HQ we have Juniper SRX with one ISP, on branch office we have Mikrotik and two ISP (both with dynamic IP).
I did ISP failover settings on Mikrotik - OK.
I created IPSEC vpn in aggressive mode with DPD and it is working - OK.
(source address in peer config is empty and I use user fqdn)
If there is no outgoing communication from office to HQ when ISP1 failovers to ISP2, IPSEC is successfully established over ISP2 - OK.
If there is no outgoing communication from office to HQ when ISP2 failovers to ISP1, IPSEC is again successfully established over ISP1 - OK.
Only problem is when there is some communication (pinging some server in HQ, opening webpage on intranet,…) in the moment of failover.
DPD closes IPSEC vpn correctly (Active peer disappears) but then new Active peer appears but source address is bad - it is IP of non working ISP instead of working ISP.
I think it is due to existing communication and maybe some cache (?) which remembers that this communication should go through IPSEC and through peer with bad source address.
Is it somehow possible to solve this situation to create correct active peer even if there is some communication through IPSEC?
We want to have config as simple as possible and this setup is ideal for us except this problem.
I tried to change tracking settings, IPSEC settings but I wasn’t successful.
Thanks in advance for some idea.
Jakub