5GT Dual Untrust VPN Failover

  • Just want to check that I am not going crazy.  One of those weeks.

    I am investigating setting up a 5GT in dual port untrust mode.  One untrust port would be a private ip (call it the Primary untrusted port), the other would be a public (call it the Secondary untrusted port).  The trusted ports would also be private.  I am wanting to setup a several VPNs on the Primary Untrust and then if they fail, move over to the Secondary and setup some other VPNs.  I was wanting this to happen automatically.  I am rather certain the 5GT can handle this by the interface failover feature.

    I just want to make sure I am not totally off.  Thanks!


  • I thought that was the case.  Good to hear.  I knew that the SSG5 that we have would support all of this, but I could not remember if the 5GT would take care of it.  The unit I need to take care of it is back in storage at the remote office.  Time to shake the dust off!

    Thanks for all the info!


  • Nope you’re not totally off… Your secondary Untrust interface will essentially remain down until the Primary fails… once it does, your secondary Untrust interface goes up and any VPNs configured with the secondary interface as the outgoing interface in your IKE gateway setup should get established (assuming you have the appropriate routing or a policy triggers the VPN establishment).