Site-to-Site VPN with redundent links
Moshe last edited by
I have a need to connect 2 ssg-320 each is located on a different site with site-to-site vpn. in order to increase reliability and to have some sort of load balancing (optional not a must) we have 2 lines between those sites. Is such a configuration is supported? if so, could you advise?
I`ll appreciate having help on this one.
ECMP definitly works. But: ScreenOS follows a strict round-robbin principle on a per session basis. So if you have unequal speed line, the fastest wont be used fully.
Basicly it rather simple:
you define two VPN’s, making sure routing between the end-points (the ike and out-side ESP headers) is following the right provider.
To each VPN you bind an tunnel interface, Numbered if you want to use OSPF.
Don’t forget to enalbe monitoring on the VPN, with this failure of the VPN will bring the tunnel interface down, so don’t use one tunnelinterface for mutiple VPN’s in this case.
In your routing table you define what should happen:
If you want to use to active tunnels (remember what I wrote above, session round-robbin)
- Select 2 ECMP routes on VR level.
- Select allow asynchroon VPN on zone level.
- make sure you get two equal routes in your routing table. Either staticly defined or any dynamic routing protocol, as long as long as the metrix and prefence are the same it will work.
If you plan to use unequal lines:
define routes with different costs or configure OSPF to do this for you.
When the primary VPN fails monitoring brings down the tunnel interface, route becomes inactive (as long asyou don’t select permanent route !!) and the second best route become active.
Hope this helps.
greg1c last edited by
I assume you mean you have 2 circuits coming in to each location? You should be able to do that with OSPF and routed VPN’s using ECMP.
firewall72 last edited by
You can use ECMP (Equal Cost Multipath) to accomplish load balancing. I believe both static and dynamic routing is supported. If you are using VPN’s between sites you will need to enable the “asymmetric” setting. We setup load balancing with multiple VPN’s using ECMP and OSPF. It worked well. However, we rolled back to using the secondary links as dedicated backup links. Hope this helps.