VPN IPSEC REDUNDANT WAN1 WAN2
Options
All Replies
-
You can use route-based IPSec VPN tunnel interfaces to build a load balance or failover Trunk.
1. Build 4 IPSec VTI tunnel and interface,
USG A:wan1 - USG B:wan1 -> vti1
USG A:wan1 - USG B:wan2 -> vti2
USG A:wan2 - USG B:wan1 -> vti3
USG A:wan2 - USG B:wan2 -> vti4
You can refer this KB, How can I configure IPSec site-to-site VPN by using VTI
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015634&lang=EN
2. Add VTI interface into a Trunk
Note:
you need to configure connectivity check in each VTI interface first. To ping the peer vti interface ip address. So that system know if the tunnel is good or not.
(1) go to CONFIGURATION > Interface > Trunk > User Configuration > Add Trunk
(2) add vti1 ~ vti4 as active interface
3. Add policy route
Source: USG A subnets
Destination: USG B subnets
Next hop: the trunk you create in step 2
SNAT: none
The same concept to configure the USG B.
1 -
Thanks for the reply.
It is possible to do this without VTI.
Thank you
0 -
Hi @BlueTeam
VIT interface is required.
The traffic redundancy is controlled by “Trunk” setting.
It controls load balancing algorithm (WRR/LLF/Spilover) on your VPN tunnel interfaces.
0
Master Member
Zyxel Employee
Categories
- All Categories
- 397 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 52 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 221 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 63 Security Highlight
