Hi Team,
I guess configuring VRRP will not achieve the redundancy for IPsec VPN. Does anyone have any alternative for configuring high availability in case of vpn failover?
Hi Team,
I guess configuring VRRP will not achieve the redundancy for IPsec VPN. Does anyone have any alternative for configuring high availability in case of vpn failover?
If you’re using VRRP, you’re probably talking about having 2 devices in a single site to hold up the tunnel(s) for physical failover?
I would use VRRP on the inside, have each router bring up a GRE over IPsec tunnel independently and run OSPF (or similar) across each GRE tunnel and between the routers. You can also do this with multihoming for path HA.
Having each tunnel up and ready for failover is much faster than waiting for IPsec to timeout and reconnect at both ends with the right OSPF configuration - dead-interval minimal can be sub-second, usually not even noticeable, the default is 30 seconds, still much faster than most IPsec efforts. The VyOS GRE, OSPF and IPsec manuals should cover everything needed.
I use this kind of config with a DMVPN regularly, though that is usually pairing a private fibre WAN primary link and a DMVPN internet tunnel for backup (over whatever is available, like LTE).
Let me share the topology and we can discuss - Wondering how do I failover from one device to other in that case then?
Well, VRRP handles failover for the internal gateway IP address. If either device fails, the other will pick up the virtual IP and continue routing traffic.
OSPF handles failover across the routed tunnels. If the main path or WAN interface drops out, the primary router will follow OSPF across the secondary router’s tunnel while still holding the VRRP VIP. If the primary router dies, in addition to the VRRP failover mentioned above, the other end will sense it as a lost path as well and redirect return traffic to the secondary router.
The idea with running 2 independent tunnels is to avoid the minutes-long wait for IPsec to realise the SA is dead and re-establish. It’s a good idea to have similarly redundant gear and connectivity at the other end as well. With default settings, OSPF will take ~40 seconds to sense the adjacency loss and switch paths, but this can be wound right down to about 1 second on VyOS. OSPF is constantly sending “hello” pings and route DB updates, this is how it senses path loss.
In most cases, you would pick the primary device then configure VRRP priorities and OSPF costs to favour it. A manual failover would consist of forcing VRRP preempt or adjusting costs on the inside interface and similar for OSPF - shutting OSPF on the tunnels or adjusting path cost and waiting a few seconds.
OSPF between the routers can be on a dedicated interface/VLAN or (if you trust it) the inside interface, but the routers would need to be in adjacency locally as well as with the remote tunnel endpoints for the solution to work.
However, this all assumes a site-to-site routed VPN. If you’re trying to setup a redundant IPsec hub or you need to use straight tunnel mode IPsec for some reason, you can ignore my rambling .