Hello
I have two sites (Site A and Site B), both have dual 100Mbps connections. We would like to create a redundant VPN between the sites in an active/standby type arrangement. i.e. use the primary connection unless its unavailable. I’m looking for recommendations as to what protocol to use. ie IPSec, OVPN, GRE?. In addition, if you’re aware of any guides that would also be appreciated.
The ideal scenario would be this
However, this could also work
Thank you in advance
I have a config like that and I use GRE/IPsec and GRE6/IPsec tunnels with autorouting using BGP. OSPF would work too.
It is easy to setup on MikroTik: just create the GRE tunnels and enable the IPsec checkmark + put a key, then
put /30 addresses on the tunnels (the lowest addresses will have preference) and add BGP peers for each tunnel.
Add the networks you have at each site to BGP networks and it all works. When you want quick failover, check BFD
on the BGP peers.
Thanks pe1chl
I’ve tested a single GRE over IPSEC with OSPF. Seems to do the job however very slow, CPU maxes out at 20-30Mbps with the board i was using. Tested with different encryption types and AES-128 delivered the best result.
How would i deal with gateways in the below scenario? Would setting the backup link to have a higher distance be enough?
What type of router do you use? 20-30 Mbps is typical for older routers like RB2011 and RB750
Newer types like RB750Gr3 RB3011 and CCR1009 can easily saturate your 100 Mbps link.
When you really want to use an old router, you can use AH instead of ESP, there will be no encryption
but there still is authentication. So no problem unless NBN is watching your traffic.
To do that, you will have to remove the IPsec config from the GRE tunnels and create it manually under IPsec.
First look how it is with the dynamically generated entries, remove the IPsec config from GRE and then manually
create similar entries but with AH protocol instead of ESP.
For the fallback NBN link you have to use some tricks. Set some static routes for the IPs involved,
possibly combined with the usual failover mechanism (see other topics for that).
Thanks. Its a RB951, i have a few RB3011’s on order so hopefully these will have more power.
Yes, with a RB3011 it will work fine. The RB750Gr3 is the best-value-for-money router to do IPsec.
(tiny box with a lot of encryption power)
Thanks. Looks like the RB750Gr3 has hardware ipsec offload. Which will provide the higher throughput with IPSEC, RB3011 or RB750Gr3? Happy to buy another RB3011 or a couple of RB750’s
I think it is about the same. The RB3011 has more ports, more storage, 19" case, LCD etc so it is more expensive,
but when looking only at the task depicted above one could use an RB750Gr3 just as well.
You could also consider a rackmounted CCR1009 or an RB1100AHx4 that both offer redundant power supplies.
But these cost about twice what an RB3011 costs.
(still peanuts compared to a Cisco)
I know this thread hasn’t been active for a little while, but I have a similar question. The only difference with my scenario is Site B is a cloud hosted environment with 1 WAN connection that i have access to, however being a cloud environment the chances of it going down are very slim.
Site A is the same. 2 WAN connections connected to my RB3011. I’m connecting to site B via IPSec tunnels, and want to setup a failover scenario. I’m just not certain on how to do this without manually going into the router and disabling/enabling the IPsec tunnels when the connection goes down.
Does anyone know a config or a script that could help?
It was already fully explained above!
OSPF over GRE over IPsec is cool. Or OSPF over EoIP over IPsec.