I know how to make IPsec with policies etc in order to connect two networks. For this topic I could not find anything like a how-to to setup dual WAN with ipsec and fail over. Load balancing would also be nice-to-have but must not be.
Anyway the main problem is: there are two networks. They both need to be reliably connected. Both networks have their own main link and a backup link. I would like to make a secure connection (thus using IPsec) between them which should be robust for WAN fails and automatically switch over.
Can anybody point me to a howto or tell me how to set it up right way?
I don’t know whether it is the “right” way, but I would suggest to:
set up two IPsec tunnels, one between WAN1s of both edge routers and another one between WAN2s
depending on whether you have public addresses on all four WAN interfaces and full protocol transparency on them, you may have to use IPsec tunnel mode (to handle NAT or protocol filtering)
even if using tunnel mode, your IPsec policy would only match ip-encap or gre tunnelling protocol, allowing to interconnect virtual interfaces on the two routers
the failover or load distributing routing between the private LANs would then use the virtual interfaces using the same techniques which are normally used on WAN interfaces
Like most redundancy schemes, this one can also only handle a single failure (one of the WANs on either end), but may fail if one of the WANs fails at both ends, so you may want to make a full mesh between the WANs.
On both Interfaces are public addresses. So there is nothing special to consider.
As far as I understand, I should make on both WAN ipsec and then use GRE to tunnel the connections. So that means I make the ipsec policies for the tunnel.
Failover would be then done by the routings set for all connections with different costs.
Yes, you make the IPsec policies handle only the GRE packets, and all the rest will be done using the traditional routing of your LAN ranges via the interfaces terminating the GRE tunnels.
As you speak about costs, I assume you have some dynamic routing protocol (like OSPF) in mind. If not and you are going to use static routing for failover or load distribuion, it may not be enough to have just different route distances if the GRE eventually does not shut its virtual interface down when it loses connection with the remote end. If this is the case, look here for the howto on script-less failover with monitoring of a reference IP on the remote end of a tunnel. You can also use any of the load balancing methods (ecmp, nth) along with recursive route monitoring.