Hi Community, I got the following problem: We have a running LSVPN with primary and secondary tunnel, which are connected on the hub on two different VRs, which sync themselves via iBGP - everything fine so far. One of the satellite sites got two ISP lines, which should be used active/passive for redundancy. Binding the IPSec tunnel on the physical interface is not possible, because when this link goes down (because provider got a problem or sth else), the down-interface won't try to establish a VPN - I need to use a loopback IP, which is natted and routed to the active ISP line. I did it, and the first impression was, that this is working, BUT: After 1h, when the IPSec SA dies, the renegotiation is taking too long and the users got problems via VoIP, SAP and so on. When checking the hub and GW firewall, I noticed, that the SSL connection to Portal was built up from Satellite to Hub (as expected), but the IPSec tunnel was built up from Hub to Satellite. That's why I'm confused - here I'm in the position of doing the NAT myself and both providers are direct public IPs, the PAN can use, but this wouldn't work, when sitting behind a provider Internet box, which does the Natting for me. Does anybody know, if it's even supported, to have the LSVPN satellite IPsec sitting on a loopback interface and using an active/passive Internet redundancy? I'm happy for any inputs here. Regards Chacko
... View more