I have a remove office that I have connected via IPSec and would like to add a redundant link to it via my second internet connection.
My network has 2 routers in two separate locations and different ISPs. They are on the same local subnet.
I want to be able to set up an IPSec tunnel from router1 to remote office and use it as primary. I also want to set up a tunnel from router2 to remote office and use it for failover. In the event that one internet connection or router goes down, I want it to use the other tunnel.
Any tips on how to do this? I’ve done it using EoIP and end-to-end IPSec with a bridge, however I don’t want to bridge the traffic this time around as the remote office is a different subnet.
Still use eoip and ipsec. Let’s assume the following:
Site 1 public ip 1.1.1.1
site 1 public ip 2.2.2.2
site 1 private subnet 192.168.1.0/24
Site 2 public ip 9.9.9.9
site 2 private subnet 192.168.254.0/24
Create your ipsec and eoip tunnels as usual but be sure to include source address as well. Assign these tunnels ip’s in two different subnets, such as 10.0.0.0/30 and 10.0.0.4/30 in this example.
At this point you should be able to ping back and forth on those eoip tunnels from the router.
From here you can go two different ways. You can either assign routes with different distances and check the gateway with a ping to the eoip tunnel or you can do bonding. I prefer bonding.
Now to bonding, create a bond with the type of failover, select your primary interface, select arp for link monitoring and then enter the ip’s of the remote eoip tunnel. This will monitor the links for you and failover very quickly.
Assign the bond interface on each end an ip in the subnet 10.10.10.0/30. You should now be able to ping back and forth on this ip from the router.
On site 1 create a route that has 192.168.254.0/24 available via 10.10.10.2
on site 2 create a route that has 192.168.1.0/24 available via 10.10.10.1
Now you should be able to ping the other router address from your pc.
Interesting solution, however I was looking for something with pure IPSec Site-to-Site tunneling. Additionally, does your solution take into consideration that “Site1” has two public IPs, two routers in two geographically separate regions. The network is linked together L2 via point-to-point wireless. “Site2” is a remote site only accessible over WAN. I don’t think bonding would work here as my tunnels would reside on 3 different physical routers.
My previous solution was Layer 2 with RSTP and IPsec, however since the remote LAN is now a different subnet, L2 isn’t needed nor ideal. Sounds like I might be able to do something with routing, however. Could I create my tunnels and then create static routes to the IPSec endpoints, adjusting my distances as needed to make one route priority?
Assuming:
Corporate LAN 192.168.1.0/24
Remote LAN 192.168.2.0/24
Corporate Router1 WAN 1.1.1.1
Corporate Router2 WAN 2.2.2.2
Remote Router WAN 3.3.3.3
Establish the IPSec tunnels normally, then create static routes. On Router1, 192.168.2.0/24 available via gateway 3.3.3.3 distance=1. Router2, 192.168.2.0/24 available via gateway 3.3.3.3 distance=1. On router3 (remote) 192.168.1.0/24 available via 1.1.1.1 distance=1 and 192.168.1.0/24 available via 2.2.2.2 distance=2. I could add those routes on Router1 and Router2 to RIP to handle distribution and failover internally (or alternatively, add a distance=2 route for the remote LAN using the other router’s LAN IP).