active/active IPsec with 2 ISPs?

Question

Hi,

is it possible to have an active/active IPsec connection between 2 UTMs (running on 9.3.x)?
Background is that in Site 2 the internet connections from both providers in not very stable...

Site 1:
ISP1: Ext. IP 217.x.x.1
ISP2: Ext. IP 218.x.x.1

Site 2:
ISP1: Ext. IP 219.x.x.1
ISP2: Ext. IP 220.x.x.1

Could you tell me how to set it up?
I guess I would need active/active uplink balancing and 2 IPsec connections on each site?

Many thanks for your help!

This thread was automatically locked due to age.

BAlfson · Answer

Salut ! 
 In fact, an active/active is done differently, but I don't think it's what you want. This has only been possible since a little more than three years ago. I copied a blog post by Michael Klehr here . I had intended to translate it into English, but it has so many pictures that I never took the time. 
 He creates two complete tunnels using two WAN connections in each site. The trick to this is binding the IPsec Connections on each side to a particular interface. This prevents WebAdmin from automatically creating routes for the traffic so that you can use Multipath rules to select which traffic goes over which tunnel. He uses Interface Groups because he wants all traffic to use one connection as a priority and only use the other instantaneously when the first tunnel fails. I don't think that's what you want. 
 The approach in the current thread is different. It creates one tunnel for VoIP traffic and a second one for all other traffic with each tunnel failing over to the other connection if there's a problem. You do not want to bind the tunnels to an interface when using this approach. 
 The only time you need a 'Respond only' gateway is when you don't know the IP/FQDN from which the other site is coming. 
 I'm better at seeing things with pictures of configurations as in Michael's blog, so I may not have followed your description. I suspect that you can use 'Initiate connection' every where and that you may have mixed up where to use Interface Groups and Availability Groups. If that hint doesn't resolve the issue, please post pictures of the Edits of the IPsec Connectiosn and Remote Gateways from both UTMs. 
 
 Cheers - Bob

ManuelAbeledo · Answer

Hi Thomas, 
 why not only build one tunnel. As SSL. Side 2 is client, side one is server. 
 So, if on side 2 provider 1 fails, the tunnel will be build over provider 2 and vice versa. 
 Load balancing over 2 tunnels to the same ip ranges isn't really possible. Two tunnels with the same destination range. How schould a firewall decide witch way it schould take? And takes the answer the same route?