I want to configure an IPSec VPN tunnel with redundant VPN peers primary peer "A" using tunnel1 and secondary peer "B" (if "A" goes down) using tunnel2.
I can configure failover using Tunnel Monitoring, but my question is "Why are routes to my VPN peer network installed in the routing table using tunnel1 (more preferred) over tunnel2?". I cannot see where we say tunnel1 is the primary, routes via tunnel2 should only be installed if tunnel1 goes down?
Note: I am not considering failover using static route monitoring at this time.
if a vpn tunnel goes down the interface is not necessarily 'down', a monitoring profile set to 'failover' will bring it down
routes on an interface will stay in the routing table as long as the interface is up, when monitoring brings down the interfaces, the route will disappear and the next lowest metric will pick up the traffic (tunnel 2 with a higher metric)
I also use Policy Based Forwarding to prefer the primary endpoint so that if it goes down then the PBF no longer takes effect and the Virtual router takes over. I also put OSPF on both ends with metrics so there is no weird routing loops.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!