IPsec tunnel wan failover

irico · Fri Oct 19, 2018 7:51 pm

I want to know if it is possible to configure IPsec tunnel in the following way:

In the office I have 2 WAN (main and backup failover) and I want to connect with Azure and IPsec. I have managed to establish IPsec without problem through the main WAN but I do not know how to failover when the main connection fails.

To test, I have mounted a virtualized environment with multiple CHR, simulating the connectivity to Azure in a very simple way:

………………..-ISP1-----
Local Router -|…………...|- Azure_ISP -- Azure_Gateway
………………..--ISP2-----

I get to establish IPsec without problem through ISP1 or through ISP2, but not both at the same time.
When I create a second policy to establish IPsec through WAN2 (different SA src address) it stays in red and I have to manually enable or disable it.

The configuration is as follows:

#################
#
# Local Router Simulation:
#
#################
/ip ipsec peer profile
set [ find default=yes ] nat-traversal=no
/ip ipsec peer
add address=3.1.1.2/32 exchange-mode=ike2 local-address=1.1.1.2 port=500 secret=Test
add address=3.1.1.2/32 exchange-mode=ike2 local-address=2.1.1.2 port=500 secret=Test
/ip ipsec policy
add dst-address=172.16.0.0/24 sa-dst-address=3.1.1.2 sa-src-address=1.1.1.2 src-address=192.168.2.0/24 tunnel=yes
add dst-address=172.16.0.0/24 sa-dst-address=3.1.1.2 sa-src-address=2.1.1.2 src-address=192.168.2.0/24 tunnel=yes  #stays in red


#################
#
# Azure Gateway Simulation:
#
#################
/ip ipsec peer profile
set [ find default=yes ] nat-traversal=no
/ip ipsec peer
add address=1.1.1.2/32 exchange-mode=ike2 local-address=3.1.1.2 passive=yes secret=Test
add address=2.1.1.2/32 exchange-mode=ike2 local-address=3.1.1.2 passive=yes secret=Test
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address=1.1.1.2 sa-src-address=3.1.1.2 src-address=172.16.0.0/24 tunnel=yes
add dst-address=192.168.2.0/24 sa-dst-address=2.1.1.2 sa-src-address=3.1.1.2 src-address=172.16.0.0/24 tunnel=yes  #stays in red

In Azure it is not possible to establish an IPIP / GRE tunnel and use IPsec in transport mode. You have to use strict IPsec tunnel.

xvo · Sat Oct 20, 2018 12:21 am

What is your ROS version?

What's new in 6.43.4 (2018-Oct-17 06:37):

Changes in this release:

*) ipsec - allow multiple peers to the same address with different local-address (introduced in v6.43);

irico · Tue Oct 23, 2018 2:37 pm

Sorry for taking a long time to answer.
ROS versión: 6.43.4
The problem is not the peer, it is established correctly. The problem is the duplicate policy with different SA src address, one of them become invalid.

[admin@C1] /ip ipsec> remote-peers print detail
Flags: R - responder, N - natt-peer 
 0    id="3.1.1.2" local-address=1.1.1.2 remote-address=3.1.1.2 state=established side=initiator uptime=3h43m56s last-seen=1m20s 

 1    id="3.1.1.2" local-address=2.1.1.2 remote-address=3.1.1.2 state=established side=initiator uptime=3h43m54s last-seen=1m53s 
[admin@C1] /ip ipsec> policy print detail      
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  A  src-address=192.168.2.0/24 src-port=any dst-address=172.16.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=1.1.1.2 sa-dst-address=3.1.1.2 proposal=default ph2-count=1 

 2  I  src-address=192.168.2.0/24 src-port=any dst-address=172.16.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=2.1.1.2 sa-dst-address=3.1.1.2 proposal=default ph2-count=0 
[admin@C1] /ip ipsec>

xvo · Tue Oct 23, 2018 8:11 pm

Sorry for taking a long time to answer.
ROS versión: 6.43.4
The problem is not the peer, it is established correctly. The problem is the duplicate policy with different SA src address, one of them become invalid.

[admin@C1] /ip ipsec> remote-peers print detail
Flags: R - responder, N - natt-peer 
 0    id="3.1.1.2" local-address=1.1.1.2 remote-address=3.1.1.2 state=established side=initiator uptime=3h43m56s last-seen=1m20s 

 1    id="3.1.1.2" local-address=2.1.1.2 remote-address=3.1.1.2 state=established side=initiator uptime=3h43m54s last-seen=1m53s 
[admin@C1] /ip ipsec> policy print detail      
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  A  src-address=192.168.2.0/24 src-port=any dst-address=172.16.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=1.1.1.2 sa-dst-address=3.1.1.2 proposal=default ph2-count=1 

 2  I  src-address=192.168.2.0/24 src-port=any dst-address=172.16.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=2.1.1.2 sa-dst-address=3.1.1.2 proposal=default ph2-count=0 
[admin@C1] /ip ipsec>

I think the problem is that you are trying to have two policies between the same src and dst addresses - one of them will never be used.
Try to create one policy that will cover both links, without sa-src-address specified (sa-dst-address on the other end) and Level set to unique.

IPsec tunnel wan failover

IPsec tunnel wan failover

Re: IPsec tunnel wan failover

Re: IPsec tunnel wan failover

Re: IPsec tunnel wan failover

Who is online