Jump to content


Photo

Backup WAN being connected causes VPN to break

IKEv1 VPN firewall

This topic has been archived. This means that you cannot reply to this topic.
1 reply to this topic

#1 GregCLC

GregCLC
  • Members
  • 3 posts

Posted 06 May 2020 - 06:07 PM

We have an F-12 firewall with a primary WAN connection on port 5, statically assigned IP.  Our backup WAN connection is on port 3, also statically assigned IP.  We have an IKEv1 site-to-site VPN to Rackspace that fails when the Ethernet cable from the backup ISP equipment is connected to port 3.  We have to IKEv1 tunnels created pointing to the same remote subnet and peer, and Barracuda support has told us this configuration would not work and we would need a second peer IP on the remote/Rackspace side.  Does this sound accurate?

 

Another strange quirk is that when we have our backup WAN connected, the two IKEv1 tunnels switch between up and down, going back and forth endlessly.  Is there a way to make a priority, that if the primary WAN is up that the backup WAN wont attempt to establish?  It seems strange to me that we would need two remote peers to have a 'failover' WAN connection.

 

Thank you for any info or suggestions.



#2 Micha Knorpp

Micha Knorpp
  • Members
  • 195 posts

Posted 27 May 2020 - 03:35 AM

Hi Greg,

IKE has this limitations. You can not just build a second tunnel for the same subnets and peer because it would establish identical SAs and Traffic Selectors.

That is why the 2 tunnels play ping-pong constantly.

It is possible to have such a setup (using 2 or more ISP lines to connect two sites parallel) with TINA, but not with standard IKE. To use TINA, you would have to put a CloudGen VF to your rackspace location.

I donĀ“t know if it is possible to set this up if you use a second WAN IP on the peer site, but if support tells you this could work, I would suppose they are right.

Additional measures for routing might be necessary anyway.


regards,
-micha-