First of all: I hope there is no similar subject: I searched out the forums and didn’t see anything.
I have some vrrp clusters of routeros firewalls. They are working pretty fine, just a bit of disease (a few seconds) when there is vrrp failover.
It’s by design and I do not complain about this as a problem: connections are broken and clients need to retry and re-negotiate them (always with success as on firewalls I maintain the same rules).
The last vrrp cluster I created brings to me this problem: as it will be connected to remote sites of the company, it will use ipsec connecting to different apparetes on wich I don’t have control. For the (few) tests I did in my testing environment it seems to me that ipsec will not work with vrrp (if I understood, there is no manner to force re-negotiation of the sa, when the router owning the master vrrp changes the remote expects the same security association).
So I’m looking at this type of scenario: having remote ipsec peers configured to use both my routeros and estabilish two ipsec connections on their public addresses. I think it should work fine, but then I will not know which connection will be used from the remote side for each packet, so I can have connections unreplied in one of the ROS and connections dropped in the other because of connection-state will never be “related”.
( I am trying to attach an image to explain better, but adding it sends me to login page… tried with firefox and chrome )
I think that an interesting feature for this situation should be a services that analyzing a netflow output populates the connection tracking table. So I would configure each router to send the other netflow information (maybe on dedicated interface, to avoid making too much traffic), and each of them should then read this and populate the connections table (based on filter rules), so ROS2 will in that situation know that the response from remote server is the replay of the legitimate request.
Is something like this possible?