Hello,
I have three sites that I am connecting and each site has an XG running 18.5. Each site has two Internet connections - a primary faster link and a secondary slower link. Thus far, I have two of the sites connected using IPSec Tunnel interfaces and then SD-WAN policy routing and I am able to pass traffic successfully between the two sites. However, I am wondering if this is the best way to design this WAN.
At my remote site, I created an IPSec Tunnel connection from each of the two connections there to the primary connection at the main site. Naturally, two xfrm interfaces were created at the remote site and I'll end up a total of four xfrm interfaces when I build the IPSec tunnels from the two remote site connections to the backup connection at the main site. Meanwhile, at the main site end, I'm going to end up with a total of eight xfrm interfaces - four going to site A and four going to site B. Is this the best way to go about this?
My goals are to provide VPN resiliency if any one of the links fails and to have both links used simultaneously to pass traffic across the tunnel (hopefully with the XG determining the best path to use at any given moment). With the SD-WAN routing, I configured primary and backup gateways and those appear to be keeping the tunnels alive when I fail one of the links. But I'm not sure if both of the links are getting used simultaneously or if the backup link will only get used when the primary link fails.
Am I better off continuing down the road of IPSec tunnel interfaces and SD-WAN policy routes or should I consider traditional IPSec site-to-site tunnels and then utilize the failover groups to prioritize which connection to use first, second, third, and fouth? I considered going down this route initially but it seemed to me that the backup links would never get utilized and so I went in the direction of IPSec Tunnel Interfaces instead.
Thank you for your consideration!
This thread was automatically locked due to age.
