Hello all,
I would like to know if VyOS can perform a Route Failover between LAN Ethernet route towards IPSec Tunnel Route. To be clear, this LAN Ethernet is an extended ethernet line from Site A to Site B, and this Extended LAN should be the Primary Route of this setup while the IPSec Tunnel should be the Secondary Standby for when it gets a cut or routers along its network path went down, but when it goes up again, the route should go back to it as the Primary,
Setup Inclusions:
- Site A (VyOS Site)
- Site B (Remote Site and the End Point of Both IPSec and Extended LAN)
Site A (VyOS Site)
*Interfaces
- Eth0: 10.0.4.88/24 (Extended LAN Line)
- Eth1: <Site A - ISP>
- Eth2: 10.3.3.1/24 (VyOS Users)
IP Route
S> 0.0.0.0/0 [200/0] via <Site A - ISP Gateway IP>, eth1, weight 1, 13:55:13
S 10.0.4.0/24 [1/0] via 10.0.4.254 inactive, weight 1, 13:55:13
C>* 10.0.4.0/24 is directly connected, eth0, 13:55:16
C>* 10.3.3.0/24 is directly connected, eth2, 13:55:15
C>* <Site A - ISP Network> is directly connected, eth1, 13:55:16
K * 192.168.252.0/24 [0/30] via <Site A - ISP Gateway IP>, eth1 onlink, 00:00:04
K>* 192.168.252.0/24 [0/10] via 10.0.4.254, eth0 onlink, 00:00:11
*Failover Route
Routing entry for 192.168.252.0/24
Known via âkernelâ, distance 0, metric 30
Last update 00:03:19 ago
- <Site A - ISP Gateway IP>, via eth1 onlink
Routing entry for 192.168.252.0/24
Known via âkernelâ, distance 0, metric 10, best
Last update 00:03:26 ago
- 10.0.4.254, via eth0 onlink
*IPSec
Site-B, IKEv2, <Site B - Public IP> (Connection Initiator)
Site-B-tunnel-1, IPsec, <Site B - Public IP>, 10.3.3.0/24, 192.168.252.0/24
close-action start
dead-peer-detection
action restart
interval 15
timeout 15
key-exchange ikev2
lifetime 60
proposal 1 {
dh-group 31
encryption aes256
hash sha1
Site B (Remote Site and the End Point of Both IPSec and Extended LAN)
*IPSec (On Firewall)
Site-A, IKEv2, <Site A - Public IP> (Waiting for Initiator)
Site-A-tunnel-1, IPsec, <Site A - Public IP>, 192.168.252.0/24, 10.3.3.0/24
*Core Switch (Extended LAN end point)
- Eth1: 10.0.4.254/24
- Eth2: 192.168.252.1/24
Please know that I do not have any problem with the Routing and connections, both Extended LAN and IPSec routing are working fine and all connections are going through. The main concern on this are the following,
- Failover Route relationship between Extended LAN and IPSec
- Even though the metrics set on the Failover are low on the Extended LAN, IPSec still comes out as the primary connection
- IPSec Tunnel Behavior
- The IPSec Tunnel does not stay UP as a Standby Route
- The ideal goal would be to have this Failover as Active:Passive where the Extended LAN gets a cut along its network path, but the IPSec connection should be UP / active and is ready to take over.
- Currently, I have not seen the IPSec Tunnel being active on the background since VyOS always treat its route as the Primary.
I hope any one can help me on this and confirm if VyOS has such capability.
Thank you!