topic Site to Site VPNs HA in General Topics

Site to Site VPNs HA

soc_mlopez — Wed, 08 Oct 2025 19:27:53 GMT

Hello team, currently we have 2 VPN S2S, one as primary and the other one as secondary.
Primary uses our primary ISP againts primary ISP from my peer, tunnel10, static route metric 10
Secondary one uses our secondary ISP against secondary ISP from my peer, tunnel11 static route metric 11.

This is the enviroment, so both VPNs are active but all the traffic its going the tunnel10 because its my primary one due to metric.

How can I HA both VPNs? Which is the best option.

1.- Use tunnel monitor on primary VPN (ipsec tunnel, general, advanced options)
2.- Use Path Monitoring on the primary static route?

What is my best option and which are the comparision, pro and cons for both methods?

Re: Site to Site VPNs HA

PavelK — Wed, 08 Oct 2025 22:27:57 GMT

Hello @soc_mlopez

thanks for post!

If you would like to route traffic through both VPN tunnels at the same time, you will have to enable ECMP and use routing protocol (For example OSPF) to advertise prefixes equally across both tunnel interfaces. Details of this setup are described in this KB: OSPF over IPSec with load balancing via ECMP dual ISP.

More advanced option of the above setup would be to use OSPF to advertise Loopback interface IP address across both tunnels and then establish BGP between loopback IP addresses of both Firewalls. In this case OSPF would serve as a transport to advertise Loopback IP address over which BGP establishes session that will be used to route traffic across both tunnels. If one of the tunnel goes down or ISP link is flapping (up/down/up event), the BGP session still remains up.

Based on information in your post it looks like you do not have any dynamic routine in place which might cause extra complexity, however by using dynamic routing you can utilize both tunnels at the same time without avoiding asymmetric routing. With static route path monitoring you will likely still be running vpn tunnel routing in active / standby scenario with failover option when path monitoring fails. If path monitoring is not setup properly on the other side of the tunnel you might be blackholing traffic or causing asymmetric routing.

Kind Regards

Pavel

Re: Site to Site VPNs HA

OtakarKlier — Wed, 22 Oct 2025 19:38:16 GMT

Hello,

You can do simple by using Policy Based Forwarding. Or go a bit more complex and use OSPF as previously suggested.

Just give each tunnel and IP address on both ends, i typically will use a /30.

Regards,