Policy based Routing with zscaler and tunnel monitor to failover

blason · March 2, 2022, 9:06am

Hi Team,

I am going to configure the vyos router instance on one of our server so that I can create two tunnels with zscaler as mentioned in this diagram and which can monitor the tunnel. In case of failure of one tunnel traffic will then be routed to other Tunnel. These are Policy based tunnel and wondering if we can achieve the same with Vyos?

TIA
Blason R

blason · March 2, 2022, 10:57am

Is it possible to monitor the VPN tunnel and failover of any of the VPN or tunnel fails?

e.khudiyev · March 2, 2022, 12:23pm

hi @blason I think you need route-based ipsec VPN with vti interfaces to achieve what you want. Static or dynamic routing will be required to manage the traffic flow during failover.

blason · March 2, 2022, 12:50pm

So can we achieve using Policy based vpn tunnels? How do I monitor the tunnels with DPD?

e.khudiyev · March 2, 2022, 1:02pm

@blason no I don’t think that it could be achieved using Policy-based VPN tunnels. DPD will allow you to detect a connectivity failure but to switch the traffic between failed and active tunnels you’ll need to use static routing with different preferences/metrics or dynamic routing protocols such as OSPF or BGP.

blason · March 2, 2022, 1:30pm

I guess different metrics should solve the purpose; let me try though.

Viacheslav · March 13, 2022, 9:26am

If the local/remote traffic selectors the same you can try to use priority

vyos@r16-roll# set vpn ipsec site-to-site peer FOO tunnel 1 priority 
Possible completions:
   <1-100>      Priority for IPSec policy (lowest value more preferable)

blason · March 14, 2022, 2:21am

Hi @Viacheslav Is this command available in 1.2 or 1.4?

blason · March 14, 2022, 3:12am

As per phabricator seems this feature is available on 1.4 and wondering if 1.4 is stable? Is there a procedure to build 1.4 ISO? I went through the documentation of building ISO and seems that contains a procedure till 1.3 not sure thought whether this would apply for 1.4 as well?

Nikolay · March 14, 2022, 3:20am

1.4 is not a stable release. It’s a release that introduces new functionality. But it could work for you. There are many users of this version. You can download it here:
https://vyos.net/get/nightly-builds/
Of course, for production, it is recommended that you use the stable images with support built by the VyOS team (1.3.0 at the moment).

blason · March 14, 2022, 3:22am

Yes - Correct. However wondering if the solution provided by you; whether thats available in 1.3 build as well? So that I can build the 1.3 ISO or that is available only in 1.4?

Nikolay · March 14, 2022, 4:03am

this command is not currently available in 1.3:
set vpn ipsec site-to-site peer FOO tunnel 1 priority
so if you need it right now, you should use 1.4

blason · March 17, 2022, 4:57pm

I already did try that scenario but wondering how do I detect the first tunnel is down? So that traffic will be switched over?

Nikolay · March 19, 2022, 1:55am

IPsec has built-in keepalive mechanisms
But it is better to use dynamic routing for failover purposes

blason · March 19, 2022, 3:24am

Correct - I guess DPD wont help me here but wondering then what is the use of giving priority?

Nikolay · March 19, 2022, 3:31am

I haven’t tried this functionality yet.
It seems to make sense if we have 2 tunnels with the same traffic selectors