Hello guys,
I have a series of branches that connect to a main one by VPN site to site, in the main one I have two different Internet providers with fixed IP, I had established 2 connections directed to each ISP of the main branch (the branches have only one provider of the Internet) and modified the priority of the route, which always left everything that I wanted to be my main and the other was reserved, that is, it was like a hot standby, so that if an ISP falls, it immediately lifts the other route, all this with version 6.46.4.
Now update to 6.47 stable and this system that I created previously stopped working, it is not letting me enter with 2 vpn from the same site as it had previously.
Can you recommend some other technique to maintain redundancy or fault tolerance with VPN, I have thought to create with netwatch some script that will keep one vpn down until the other one falls, I don’t know if this is a good practice.
note: i am using l2tp / ipsec
what can you advise me?
Thank you in advance for the help and for having read my query. 
Hi there,
Firstly what VPN are you using?
Also do you perhaps have 2 WAN IP’s you can use?
I would configure a WAN1 (IP1) WAN2 (IP2)
Set up two IPSec tunnels to the two interfaces on the WAN side and use VRRP on the inside.
One link goes down, and VRRP handles the failover.
Regards,
WK
Hello and thanks for your answer, I explain myself on the branch side (A), I have an Internet provider with a fixed public IP and on the server side (B) I have two ISPs with fixed IPs. I am using Mikrotik computers and I am creating the VPN between these computers, I am using l2tp / ipsec.
From side (A) I had created 2 VPN accesses to side (B) pointing to each public ip that side (B) has and from side (A) in the route table, the priority should be lowered to one of the 2 VPNs to that the traffic will travel through one of the 2, so that if (B) an internet provider fails the route falls and lifts the other, now with the new update to 6.47.
Responding to the idea of using vrrp I have the difficulty that on side (B) I have only one router and what I am needing to do is enter one vpn if the other one falls, for example, this is the high availability that I need; I also observe what you recommend and first I cannot create vrrp with interfacez vpn and second the problem is that it is not letting in the second vpn in (B) as it worked before.
Without a complex workaround, L2TP/IPsec never accepted connections from two clients behind the same public IP address, but I guess it’s not what you are talking about.
When you say
do you mean that RouterOS doesn’t let you configure it that way or that only one connection is active at runtime?
Another question, did you let RouterOS create the IPsec configuration for you dynamically, by setting the use-ipsec property of /interface l2tp-server server to yes or required, or do you have a manually created IPsec configuration in place? I can imagine that in the former case, the IPsec stack doesn’t care to which of the two WAN addresses the initial IKE packet from the initiator comes, and thus it rejects the other connection from the same remote IP. But I didn’t dare to install 6.47 yet due to the reported issue with excess flash writes, so I cannot test the behaviour on any of my devices. The log should tell you something (disable both L2TP-client interfaces at the initiator; at both the responder and one of the initiators, /system logging add topics=ipsec,!packet, then /log print follow-only file=ipsec-startup where topics~“ipsec”, then enable the L2TP-client interfaces; once the state becomes stable, stop the /log print and read the resulting files.
Hi… The problem I pose is that before I from a point (A) could call a site (B) with two VPNs one connected to a public IP and the other vpn to a different public IP, now it is not letting me do it or a vpn or another one enters, only one branch has managed to stay as before, on the other hand at some point it gives an old tunnel is not closed yet error, but I tell you that it is enough to disable one connection and the other wakes up without any problem , what I am noticing is that the router does not allow me now with this update to maintain two connections that come from the same place so it comes from different paths.