Setup IPSEC Tunnels from Active/Standby pair to Active/Active Pair in AWS

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Setup IPSEC Tunnels from Active/Standby pair to Active/Active Pair in AWS

L2 Linker

So, we are in the process of creating a prescence in AWS. We are planning on using a pair of VM-300 series firewalls (jn Active/Active) in a Transit VPC. Our on prem firewall pair (in Active/Standby mode) will connect to the Transit VPC via IPSEC tunnels. The first tunnel will be over a DirectConnect (DX) connection, and the second tunnel will ride over the public internet (in case the DX connection fails). So basically, each firewall will have 2 IPSEC VPN tunnels going to AWS.


While the Transit VPC IPSEC tunnels in Active/Active mode are fine to have different IPSEC tunnels going to them, I am wondering how this will work on the on prem firewalls being as though the tunnel only works on the Active firewall. What would be the best way to make this work?


L5 Sessionator

VM-series in the Public Cloud only supports Active/Passive High Availability.

BGP for Transit VPC is configured in an Active/Standby mode. 

I just wanted to clarify that before moving forward. 


Also a key note. Transit VPC the VM-Series is not in an HA configuration. BGP is set to ACtive/Standby but the VM-Series are not HA. 

  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!