good evening,
i am trying to understand which could be the best way to create an ha between a remote vpn server (for example a single fortigate) and two local vyos vpn servers.
does i need to create two distinct ipsec sa between fortigate and vyos-1 and fortigate and vyos-2 and then how can i manage routing to and from local nets?
or is there a better way?
any blog or article is appreciated.
thank you.
Hello,
I’m not sure about best practices, but I use the floating IP address from VRRP as the destination address in the VPN. When the routers switch roles, I have a script do a “restart vpn” that allows the new primary router to start up the VPN. The backup router will also try to start the VPN, but that fails because the backup router doesn’t own the IP address any more.
I suppose a better way might be to use the transition script to modify the configuration to enable/disable the VPN on transition. For that method, see this post (also includes my quick-and-dirty method).
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.