Configure a route-based VPN failover with two ISP connections
You can configure failover between route-based VPNs created over two different Internet Service Providers (ISPs). For example, ISP1 and ISP2. If ISP1 goes down, the connection fails over to ISP2.
Here's an example:
To configure a route-based VPN failover with two ISP connections, you must do as follows:
- Configure the route-based VPN connections.
- Configure the XFRM interfaces and gateway hosts.
- Configure an SD-WAN route.
- Set the route precedence.
Configure the route-based VPN connections
To configure the route-based VPN connections, do as follows:
-
On your head office (HO) firewall, create a route-based VPN tunnel between your HO and branch office (BO) firewalls for ISP1. See Create a route-based VPN (any to any subnets).
-
On your HO firewall, create a route-based VPN tunnel between your HO and branch office (BO) firewalls for ISP2. See Create a route-based VPN (any to any subnets).
To review your VPNs, go to Site-to-site VPN > IPsec.
Configure the XFRM interfaces and gateway hosts
You must assign an IP address to each XFRM interface and create a gateway host for each.
-
Go to Network > Interfaces and expand the WAN interface used to create the IPsec connection. You see the XFRM interfaces automatically created for the tunnels. For example, you see xfrm1 and xfrm2 for HO and xfrm1 for BO.
Here's an example:
-
Assign an IP address to each XFRM interface as follows:
-
Go to Routing > Gateways and create gateway hosts for each XFRM interface. See Add a gateway.
When you're creating a gateway host, for Interface, select the corresponding XFRM interface.
Here's an example:
Configure an SD-WAN route
Do as follows:
-
Go to Routing > SD-WAN routes and create an SD-WAN route. See Add an SD-WAN route.
When you're creating an SD-WAN route, do as follows:
- Under Link selection settings, select Primary and Backup gateways.
- For Primary gateway, select the gateway host you created for ISP1.
- For Backup gateway, select the gateway host you created for ISP2.
Set the route precedence
You must set the route precedence with sdwan_policyroute
as the first.
On the command-line interface, do as follows:
-
Enter 4 for Device console.
-
To set the route precedence with
sdwan_policyroute
as the first, enter the following command:system route_precedence set sdwan_policyroute static vpn
-
To check the route precedence, enter the following command:
system route_precedence show