Community discussions

MikroTik App
 
DotTest37
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Sun Oct 06, 2013 10:01 pm

Unable to set a Dual WAN ipSec failover

Sun May 29, 2016 5:10 pm

Hi guys

I have two sites, each of them with a LAN behind NAT, and each of them using different ISP.
Im trying to set a Dual WAN ipSec failover, but the ipSec policy keeps giving me trouble,


Site1 is like this:
ISP0 public IP 1.1.1.1
LAN 10.5.10.0/24

Site2 is like this:
ISP1 public IP 2.2.2.2 (this is the main link)
ISP2 public IP 3.3.3.3
LAN 192.168.0.0/24


I have already ISP failover working on Site2, using a combination of default route cost and some scripts that check for some external servers on ISP1 , so when the Mikrotik router cant see those servers it basically change the distance on the default route and moves the outgoing traffic to ISP2

Now, the problem is that I need an IPsec tunnel between the two sites (so the two LAN see each other) and I need it redundant on Site2.
I can make it work with ISP1 or ISP2, separated, but in order to have them both, I need two have ipSec policies involving the two peers and the LAN, on both Site1 and Site 2.
I realize that one of the IPsec policy disable itself when I have to involving the same Src Address and Dst Address (it turns red). So I created scripts on Site2 so that when the ISP1 goes down, it disable the ipSec policy that I dont need and enable the other, and viceversa.

The problem is that on Site1 Im having the same issue (need to ipSec policies so I can hook with either ISP1 or ISP2 on Site 2), and one of them turns Red, the only way to make it work is to manually enable/disable the one you dont need.
I cannot find a way to make a script that does that automatically, or a way to make this thing works with Dual WAN.

I wonder if anybody had that issue,
 
emikrotik
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Fri Jun 19, 2015 9:30 am

Re: Unable to set a Dual WAN ipSec failover

Tue May 31, 2016 2:45 am

At Site1 create a netwatch script that monitors Site2 ISP 1.

When Site2 ISP 1 connections goes down it disabled the the ISPec peer for ISP 1 and enabled the IPSec peer for ISP 2.

When Site2 ISP 1 connections comes back up it enables the the ISPec peer for ISP 1 and disables the IPSec peer for ISP 2.
 
DotTest37
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Sun Oct 06, 2013 10:01 pm

Re: Unable to set a Dual WAN ipSec failover

Fri Jun 03, 2016 5:49 pm

At Site1 create a netwatch script that monitors Site2 ISP 1.

When Site2 ISP 1 connections goes down it disabled the the ISPec peer for ISP 1 and enabled the IPSec peer for ISP 2.

When Site2 ISP 1 connections comes back up it enables the the ISPec peer for ISP 1 and disables the IPSec peer for ISP 2.
At first I created another script at Site 1, same idea,, but since I dont need to monitor multiple IPs, then netwatch was a better solution.
(I had to make sure to account for rare situations where Site1 can ping IP on Site2 but Site2 did failover already, thus creating strange tunnel configuration, so what I did was to add a line on the Scripts at Site 2 so where the failover happen then a Firewall entry is added, blocking Site 1 from Pinging ISP1 WAN 1 IP.)
Tested on multiple situations (Interface disable, interface disconnected, lost of Internet, etc) worked great.

Thanks a lot for the advice on Netwatch.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6673
Joined: Mon Jun 08, 2015 12:09 pm

Re: Unable to set a Dual WAN ipSec failover

Sun Jun 05, 2016 10:12 am

Direct IPsec tunnels are always causing problems in many areas due to the way they directly interact with the
lowest level of IP routing.
I would change the direct IPsec tunnels to IP over IPsec or GRE over IPsec tunnels with a /30 network, and then
set routes with different preference or run a routing protocol or use to route the actual networks over those tunnels.
Then you can clearly define and monitor all the paths and the way the traffic flows, without requiring scripts.
 
DotTest37
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Sun Oct 06, 2013 10:01 pm

Re: Unable to set a Dual WAN ipSec failover

Mon Jun 06, 2016 4:27 pm

Direct IPsec tunnels are always causing problems in many areas due to the way they directly interact with the
lowest level of IP routing.
I would change the direct IPsec tunnels to IP over IPsec or GRE over IPsec tunnels with a /30 network, and then
set routes with different preference or run a routing protocol or use to route the actual networks over those tunnels.
Then you can clearly define and monitor all the paths and the way the traffic flows, without requiring scripts.

And what about performance? I read somewhere that GRE has a bit hit on performance when compared to direct IPsec,,. Bandwidth and Latency are paramount on Site 2.
I moved from OpenVPN because the latency was almost 2x more than IPsec (perhaps didnt have the knowledge to make it right, but didnt have time either, so I went with IPsec)
 
pe1chl
Forum Guru
Forum Guru
Posts: 6673
Joined: Mon Jun 08, 2015 12:09 pm

Re: Unable to set a Dual WAN ipSec failover

Mon Jun 06, 2016 4:47 pm

There should be very little difference between direct IPsec or using IP or GRE (or L2TP) over IPsec and then routing
over that. It has a tiny influence on MTU but that should have only a small percentage influence.
OTOH, this setup is much easier to configure, monitor and control.
(w.r.t. firewalling, routing, failover etc)

Who is online

Users browsing this forum: evghoul, glat, jvanhambelgium, Sob and 51 guests