Community discussions

MikroTik App
just joined
Topic Author
Posts: 1
Joined: Fri Aug 21, 2020 10:38 pm

Ipsec failover

Tue Jan 12, 2021 6:07 pm

Hello to everybody
I'm trying to set up a load balance to a router of an office with two isp and an ipsec tunnel to a remote office. So far so good but i want to have an automatic failover for ipsec, in case the one isp is down the ipsec goes to other and vice versa. I try to make a mangle connection mark with distance routing but didn't work.
Can somebody help?
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: Ipsec failover

Wed Jan 13, 2021 6:00 pm

Not enough information. If the "remote" office only has a single uplink (WAN) and you just fail over to another WAN in the "local" office using mangle rules, the "remote" router will ignore the packets as they will arrive from wrong IP address. The packets from the "remote" router will keep being sent to the dead WAN's address, so they won't get delivered. Mikrotik's IPsec implementation doesn't support MOBIKE yet, and I'm even not sure MOBIKE would work in this case.

So it will take the peers some time to detect the connection got broken (100 seconds by default), and then they may start establishing a new one. If the "remote" office acts as a responder, the initiator at the "local" office will re-establish the connection successfully from the backup WAN address; if the "remote" office acts as an initiator, it will keep trying to connect to the dead WAN's IP and never succeed.

To get some useful advice, provide more information regarding the number of WANs in the "remote" office, which WANs have public IPs on them and which are behing some external NAT (for both routers), whether the public IPs are static or dynamic, and where external NAT exists, whether you can configure port forwarding on it or not.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: kalto and 174 guests