I'm having a hard time finding much, if any, documentation on this scenario. I've tried a couple ways of doing it and they work, but I'm trying to figure out what the best way to do it while being as redundant as possible. What I like the best so far is to have the portal and a gateway up on a floating IP so it can bounce from one firewall to the other as needed. However, doing that adds a route to the virtual router on both firewalls for the tunnel (client) addresses. If a client connects and gets terminated to the tunnel interface on firewall 1, accesses a service, and then return traffic comes back into firewall 2, it dies because it thinks the client is on that tunnel interface, when it isn't. Does that make sense? If there was a way to have the tunnel interface also follow the floating IP that would be great. This would only install the route on the firewall that needs it. Another way I thought of doing it is a portal and gateway on firewall 1, and a portal and a gateway on firewall 2. Then in my DNS, the portal DNS record (vpn.domain.com) answers with both portals and the gateway DNS record (gw.domain.com) answers with both gateways. That doubles the configuration that has to be made, but solves the route being installed on both firewalls when clients are only connected to one firewall. Is there a proper way to do this?
... View more