In the office I have 2 WAN (main and backup failover) and I want to connect with Azure and IPsec. I have managed to establish IPsec without problem through the main WAN but I do not know how to failover when the main connection fails.
To test, I have mounted a virtualized environment with multiple CHR, simulating the connectivity to Azure in a very simple way:
………………..-ISP1-----
Local Router -|…………...|- Azure_ISP -- Azure_Gateway
………………..--ISP2-----
I get to establish IPsec without problem through ISP1 or through ISP2, but not both at the same time.
When I create a second policy to establish IPsec through WAN2 (different SA src address) it stays in red and I have to manually enable or disable it.
The configuration is as follows:
Code: Select all
#################
#
# Local Router Simulation:
#
#################
/ip ipsec peer profile
set [ find default=yes ] nat-traversal=no
/ip ipsec peer
add address=3.1.1.2/32 exchange-mode=ike2 local-address=1.1.1.2 port=500 secret=Test
add address=3.1.1.2/32 exchange-mode=ike2 local-address=2.1.1.2 port=500 secret=Test
/ip ipsec policy
add dst-address=172.16.0.0/24 sa-dst-address=3.1.1.2 sa-src-address=1.1.1.2 src-address=192.168.2.0/24 tunnel=yes
add dst-address=172.16.0.0/24 sa-dst-address=3.1.1.2 sa-src-address=2.1.1.2 src-address=192.168.2.0/24 tunnel=yes #stays in red
#################
#
# Azure Gateway Simulation:
#
#################
/ip ipsec peer profile
set [ find default=yes ] nat-traversal=no
/ip ipsec peer
add address=1.1.1.2/32 exchange-mode=ike2 local-address=3.1.1.2 passive=yes secret=Test
add address=2.1.1.2/32 exchange-mode=ike2 local-address=3.1.1.2 passive=yes secret=Test
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address=1.1.1.2 sa-src-address=3.1.1.2 src-address=172.16.0.0/24 tunnel=yes
add dst-address=192.168.2.0/24 sa-dst-address=2.1.1.2 sa-src-address=3.1.1.2 src-address=172.16.0.0/24 tunnel=yes #stays in red