Route Failover LAN Ethernet to IPSec Tunnel

Hello all,

I would like to know if VyOS can perform a Route Failover between LAN Ethernet route towards IPSec Tunnel Route. To be clear, this LAN Ethernet is an extended ethernet line from Site A to Site B, and this Extended LAN should be the Primary Route of this setup while the IPSec Tunnel should be the Secondary Standby for when it gets a cut or routers along its network path went down, but when it goes up again, the route should go back to it as the Primary,

Setup Inclusions:

  • Site A (VyOS Site)
  • Site B (Remote Site and the End Point of Both IPSec and Extended LAN)

Site A (VyOS Site)
*Interfaces

  • Eth0: 10.0.4.88/24 (Extended LAN Line)
  • Eth1: <Site A - ISP>
  • Eth2: 10.3.3.1/24 (VyOS Users)

IP Route
S>
0.0.0.0/0 [200/0] via <Site A - ISP Gateway IP>, eth1, weight 1, 13:55:13
S 10.0.4.0/24 [1/0] via 10.0.4.254 inactive, weight 1, 13:55:13
C>* 10.0.4.0/24 is directly connected, eth0, 13:55:16
C>* 10.3.3.0/24 is directly connected, eth2, 13:55:15
C>* <Site A - ISP Network> is directly connected, eth1, 13:55:16
K * 192.168.252.0/24 [0/30] via <Site A - ISP Gateway IP>, eth1 onlink, 00:00:04
K>* 192.168.252.0/24 [0/10] via 10.0.4.254, eth0 onlink, 00:00:11

*Failover Route
Routing entry for 192.168.252.0/24
Known via “kernel”, distance 0, metric 30
Last update 00:03:19 ago

  • <Site A - ISP Gateway IP>, via eth1 onlink

Routing entry for 192.168.252.0/24
Known via “kernel”, distance 0, metric 10, best
Last update 00:03:26 ago

  • 10.0.4.254, via eth0 onlink

*IPSec
Site-B, IKEv2, <Site B - Public IP> (Connection Initiator)
Site-B-tunnel-1, IPsec, <Site B - Public IP>, 10.3.3.0/24, 192.168.252.0/24
close-action start
dead-peer-detection
action restart
interval 15
timeout 15

key-exchange ikev2
lifetime 60
proposal 1 {
dh-group 31
encryption aes256
hash sha1


Site B (Remote Site and the End Point of Both IPSec and Extended LAN)
*IPSec (On Firewall)
Site-A, IKEv2, <Site A - Public IP> (Waiting for Initiator)
Site-A-tunnel-1, IPsec, <Site A - Public IP>, 192.168.252.0/24, 10.3.3.0/24

*Core Switch (Extended LAN end point)

  • Eth1: 10.0.4.254/24
  • Eth2: 192.168.252.1/24

Please know that I do not have any problem with the Routing and connections, both Extended LAN and IPSec routing are working fine and all connections are going through. The main concern on this are the following,

  1. Failover Route relationship between Extended LAN and IPSec
  • Even though the metrics set on the Failover are low on the Extended LAN, IPSec still comes out as the primary connection
  1. IPSec Tunnel Behavior
  • The IPSec Tunnel does not stay UP as a Standby Route
  • The ideal goal would be to have this Failover as Active:Passive where the Extended LAN gets a cut along its network path, but the IPSec connection should be UP / active and is ready to take over.
  • Currently, I have not seen the IPSec Tunnel being active on the background since VyOS always treat its route as the Primary.

I hope any one can help me on this and confirm if VyOS has such capability.
Thank you!

Go for route based instead of policy based ipsec. Policy based creates extra route table, overruling default route table
Whereas route based (VTI) gives an extra interface, where you can create manual routes. Even better, use routing protocol OSPF) on both links ( extended eth and IPSEC-VTI)

1 Like

Hi,

Thanks for the response!
I haven’t actually had a chance to use OSPF and IPSec VTI yet, can you confirm my questions below?

  1. Does OSPF requires to be configured on both end? For example, on the Extended LAN of Site B to Site A (Core Switch)? Or only the VyOS site has to enable this feature?

  2. Same goes for the IPSec VTI, does it have to be configured on both sites? the VyOS and Firewall?

  3. Lastly, can I call out the IPSec VTI interface on the ‘protocol failover’ feature?

Thank you!

1:You do need OSPF on both ends, both ends exchange OSPF messages to become neighbors and learn routes.
2: the remote site needs VTI too, both ends of tunel need same protocols. (some devices/setups can’t do VTI, then use its predecessor IPSEC on GRE tunnel.
3: I think you might use LB logic on VTI too, but I wouldn’t recommend it.
if you control both ends of the links , routing protocol is better suited.

Hi,

Unfortunately, I do not have control on both ends. As VyOS IPSec overrules the default routing table, I don’t think I can use VyOS to achieve my goal.

Thanks for your help though, I appreciate it.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.