IPSec tunnel using the VRRP virtual IP address

Hi All

I have two VyOS devices in a VRRP cluster, on their external interfaces.
Is it possible (or should it be possible) to use the VRRP virtual IP, as an IPSec tunnel peer IP address?

hi @sinaowolabi , if you’ll use a VRRP address as an IPsec source this may cause issues with re-establishing tunnels due to a non-existing IP address on the Backup VRRP router while the configuration is applied. However, you can use a vrrp transition script, for example, that will reload your IPsec whenever your Backup node becomes Master and vice versa (which is not guaranteed that the remote peer will be able to re-establish the tunnel immediately, basically you’ll need to use DPD for faster convergence and also some additional tricks might be required).

Try to build a lab and see what is the appropriate way for your case, I believe you’ll be able to find out this quickly.