This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Tunnels, Uplink Balancing, Multipath rules, oh my

Howdy

We are adding (hopefully) a second WAN connection to the mix. The connection comes from a totally different provider, in this case CABLE. With that we have turned on UPLINK BALANCING and created a couple MULTIPATH RULES to route our WEB SURFING traffic and all is well, so we thought.

The problem is we have 2 site to site VPN tunnels in the mix. These tunnels go to external partners and were working flawlessly prior to turning on UPLINK BALANCING, to add more drama to the mix on one VPN tunnel we need to have various protocals running and the other has a WEB PORTAL

Needless to say this is adding some complexity to the mix I'm just not able to wrap my head around.

I have checked out many of the simplar threads but I've been unable to find anything that outlines what we need to do.

Do any of you by chance have some insight in to setting something like this up? Maybe know of a document that outlines this setep? Or just have a great idea you want to share?

As always, thanks for any and all help...

-Jayson

Edit --

Reading that again I feel I should add some more info.

Whats working
Uplink Balancing is working
Routing Web Surfing traffic out to the new Cable line is working

Whats not working
VPN tunnels are connected BUT are no longer usable. eg no taffic of any sort seems to be getting to or from the target host/networks

This thread was automatically locked due to age.

Parents

0 BAlfson over 13 years ago

The "trick" here is to use a Multipath rule with persistence by interface on the dual-WAN side and an 'Availability Group' on the other side.

On the dual-WAN side, change the 'IPsec Connection' to have 'Local Interface: Uplink Interfaces'. On the other side, in the 'Remote Gateway', into 'Gateway', put an 'Availability Group' that contains the IP favored by the Multipath rule first, and the other IP second.

Say, you have a location with WAN-1 (11.21.31.41) and WAN-2 (62.72.82.92), your Multipath rule in that location would be:
'Uplink Interfaces -> IPsec -> Any (or specific locations) : Persistence by Interface WAN-1'

In the other location, the 'Availability Group' above would contain, in order, Host definitions for 11.21.31.41 and 62.72.82.92.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 13 years ago

The "trick" here is to use a Multipath rule with persistence by interface on the dual-WAN side and an 'Availability Group' on the other side.

On the dual-WAN side, change the 'IPsec Connection' to have 'Local Interface: Uplink Interfaces'. On the other side, in the 'Remote Gateway', into 'Gateway', put an 'Availability Group' that contains the IP favored by the Multipath rule first, and the other IP second.

Say, you have a location with WAN-1 (11.21.31.41) and WAN-2 (62.72.82.92), your Multipath rule in that location would be:
'Uplink Interfaces -> IPsec -> Any (or specific locations) : Persistence by Interface WAN-1'

In the other location, the 'Availability Group' above would contain, in order, Host definitions for 11.21.31.41 and 62.72.82.92.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Jayson over 13 years ago in reply to BAlfson

The "trick" here is to use a Multipath rule with persistence by interface on the dual-WAN side and an 'Availability Group' on the other side.

On the dual-WAN side, change the 'IPsec Connection' to have 'Local Interface: Uplink Interfaces'. On the other side, in the 'Remote Gateway', into 'Gateway', put an 'Availability Group' that contains the IP favored by the Multipath rule first, and the other IP second.

Cheers - Bob

The "OTHER IP" being the IP that currently resides in the REMOTE GATEWAY | GATEWAY box?
Cancel
Vote Up 0 Vote Down

Cancel
0 Jayson over 13 years ago in reply to BAlfson

The "trick" here is to use a Multipath rule with persistence by interface on the dual-WAN side and an 'Availability Group' on the other side.

On the dual-WAN side, change the 'IPsec Connection' to have 'Local Interface: Uplink Interfaces'. On the other side, in the 'Remote Gateway', into 'Gateway', put an 'Availability Group' that contains the IP favored by the Multipath rule first, and the other IP second.

Say, you have a location with WAN-1 (11.21.31.41) and WAN-2 (62.72.82.92), your Multipath rule in that location would be:
'Uplink Interfaces -> IPsec -> Any (or specific locations) : Persistence by Interface WAN-1'

In the other location, the 'Availability Group' above would contain, in order, Host definitions for 11.21.31.41 and 62.72.82.92.

Cheers - Bob

Ok let me clear up what I currently have. Chime in / edit what should be changed to make the above work.

Interfaces (On my local ASG)
WAN-1 = 222.111.000.123
WAN-1 = 222.111.000.125 (second IP)
WAN-2 = 222.111.000.124

Uplink Balancing
Active Interfaces
WAN-1
WAN-2

Multipath Rules
Internal-network01 -> any -> Various Nodes and Services -> WAN-1
Internal-network01 -> any -> 111.222.000.1 -> WAN-1
Internal-network01 -> Web Surfing -> ANY

Site-to-Site
IPSec Connection
Name - VPN01
Remote Gateway - VPN01 Peer
Local Interface - Uplink (was WAN-1 second IP)
Policy - VPN01 Policy
Local Networks - Internal-network01
AFR - X
SR - X

IPSec Connection
Name - VPN02
Remote Gateway - VPN02 Peer
Local Interface - Uplink (was WAN-1 second IP)
Policy - VPN02 Policy
Local Networks - Internal-network01
AFR - X
SR - X

Remote Gateways
Name - VPN01 Peer
Gateway type - Initiate connection
Gateway - Availability group (111.222.111.222)
Authentication type - X
Key - X
Repeat - X
VPN IP type - IP Address
VPN ID - [blank]
Remote networks - 111.222.000.0 | 111.222.001.0

Name - VPN02 Peer
Gateway type - Initiate connection
Gateway - Availability group (222.111.222.111)
Authentication type - X
Key - X
Repeat - X
VPN IP type - IP Address
VPN ID - [blank]
Remote networks - 111.222.000.1

Red - shows my confusion points
Cancel
Vote Up 0 Vote Down

Cancel