Configure IPsec failover

With this configuration, when two IPsec tunnels are configured with the same local and remote endpoints but different metrics, traffic addressed to the remote endpoint will be routed through the IPsec tunnel with the lower metric.

If SureLink > Restart Interface is enabled for the tunnel with the lower metric, and SureLink determines that the tunnel is not functioning properly (for example, pings to a host at the other end of the tunnel are failing), then:

1. SureLink will shut down the tunnel and renegotiate its IPsec connection.

2. While the tunnel with the lower metric is down, traffic addressed to the remote endpoint will be routed through the tunnel with the higher metric.

For example:

• Tunnel_1:

  • Metric: 10

  • Local endpoint > Interface: LAN

  • Remote endpoint > Hostname: 192.168.10.1

  • SureLink configuration:

    • Restart Interface enabled

    • Test target:

      • Test type: Ping test

      • Ping host: 192.168.10.2

• Tunnel_2:

  • Metric: 20

  • Local endpoint > Interface: LAN

  • Remote endpoint > Hostname: 192.168.10.1

In this configuration:

1. Tunnel_1 will normally be used for traffic destined for the 192.168.10.1 endpoint.

2. If pings to 192.168.10.2 fail, SureLink will shut down the tunnel and renegotiate its IPsec connection.

3. While Tunnel_1 is down, Tunnel_2 will be used for traffic destined for the 192.168.10.1 endpoint.

  Web

1. Configure the primary IPsec tunnel. See Configure an IPsec tunnel for instructions.
   • During configuration of the IPsec tunnel, set the metric to a low value (for example, 10).

     

   • Configure SureLink for the primary IPsec tunnel and enable Restart interface. See Configure SureLink active recovery for IPsec for instructions.

     

2. Create a backup IPsec tunnel. Configure this tunnel to use the same local and remote endpoints as the primary tunnel. See Configure an IPsec tunnel for instructions.
   • During configuration of the IPsec tunnel, set the metric to a value that is higher than the metric of the primary tunnel (for example, 20).

     

  Web

1. Configure the primary IPsec tunnel. See Configure an IPsec tunnel for instructions.
2. Create a backup IPsec tunnel. See Configure an IPsec tunnel for instructions.
3. During configuration of the backup IPsec tunnel, identify the primary IPsec tunnel in the Preferred tunnel parameter: