VPN tunnel in main/standy mode

Hi all,

Is it possible, and how, to configure a vyos router to use two VPN ipsec tunnels to two different routeurs of a a same remote network, using one as “main” vpn (in ‘up’ state) and the other as “standby” (in ‘down’ state, while the main is OK, and which will go up if the first one fails ?)

For example:
Local network: 10.10.10.0/24
Local vyos: 10.10.10.254
One internet connection (however, with two it may be the same…)

Remote network: 10.11.11.0/24
Remote gateway 1: 170.170.170.170
Remote gateway 2: 230.230.230.230

The 2 remote gateways are not configurable, as they are AWS VPN gateways.
The answer could be to use BGP, however this is not desirable for security reasons… And OSPF is not usable since we can’t change the remote gateways configuration…

So, is it possible in vyos:

  • to set 2 VPN tunnels with 2 different peers, but keeping one in ‘up’ while the other in ‘down’ state for standby ? (to have only one tunnel in “up” state at a time)
  • to regularly check if the vpn tunnel 1 is up, and if it goes down, to activate the 2nd tunnel so it becomes available (‘up’ state) ?

Thank you !
Regards

Hi Smiley,

I don’t think that this configuration will work.
One way to accomplish it is to deploy VyOS in AWS, build IPSec VTIs and configure OSPF to advertise remote networks.

Thanks for reply,

Ok !
Well, it seems that this is possible in some cisco environments…
I think that implementing such a feature would be useful on VyOS, in some network cases !