Follow

How do I setup an Ecessa appliance to route traffic so a site-to-site VPN can use failover?

The purpose of this article is to provide direction for creating static routes for Site-to-Site VPN Failover. This article assumes knowledge of the different types of static routes and how to create static routes (please refer to the manual or the Knowledge Base articles "What is the difference between the static route types?" and “How do I create a static route?“ for more information). This document details two different examples: One involving routing a VPN with two WAN connections, and the other involving two or more WAN connections.

VPN Failover with 2 WAN lines

For the first example, VPN failover will be implemented through an Ecessa device with two WAN lines using NAT mode. By default VPN traffic will Source NAT as the Ecessa's IP address, however, this can be overwritten with One-to-One NAT rules or defining the source WAN IP address. WAN1 is configured as 172.16.0.1/24, and WAN2 is configured as 172.16.1.1/24. The destination is the remote VPN peer address 172.16.10.1/32 so the route will catch any traffic using the site to site VPN.

The VPN is to primarily use WAN1 so the route's source WAN IP is 172.16.0.1 and the type is Failback. When the VPN check-box is selected, it will block VPN connection attempts from the other WAN line. WAN2 will only be used if the WAN1 line goes down, and the traffic will then revert to WAN1 when it is operational again.

Please note: dead peer detection should be used on the 172.16.10.1 VPN appliance because that side should perform active testing to determine which line to attempt the connection on. 

Below is a screen shot of the example Ecessa configuration:



VPN Failover with 2+ WAN lines

For the next example, VPN failover will be implemented through an Ecessa device with more than two WAN lines using NAT mode. By default VPN traffic will Source NAT as the Ecessa's IP address, however, this can be overwritten with One-to-One NAT rules or defining the source WAN IP address. WAN1 is configured as 172.16.0.1/24, and WAN2 is configured as 172.16.1.1/24, and WAN3 is configured as 172.16.2.1/24. The destination is the remote VPN peer address 172.16.10.1/32 so the route will catch any traffic using the site to site VPN. 

With additional available WAN lines, failover will behave differently from the last example. While the traffic will primarily use WAN1, if this line fails the traffic will load balance across the remaining lines until WAN1 comes back up. As this behavior can cause issues for the VPN, it is recommended to configure a hostname based static route.

Go To Authoritative DNS page then select Enable Authoritative Name Server. Add a domain and name it static.route and then click the Activate button. Click [Configure] next to the static.route domain.


By default wan1, wan2, and wan3 A records will be created with the WAN IP addresses of the Ecessa. In this example the Ecessa IP addresses are used for the source address of the VPN traffic so these records do not require any changes. 

Under the Load Balanced Host Records section, click the Add Host button, enter vpn as the hostname then select wan1 and wan2 as the Canonicals. Set the Time to Live as 30 and enable the Redundancy Only box. This ensures only WAN1 will be used, if the line fails then WAN2 will be used until WAN1 comes back up. No other lines will be used. If it desired for the VPN traffic to use WAN3, it must also be selected tin the Canonicals list.


For the hostname-based static route, the Source WAN IP or Hostname field will use vpn.static.route and the type will be set to Hostname Failback. When the VPN check-box is selected, it will block VPN connection attempts from the other WAN line. WAN2 will only be used if the WAN1 line goes down, and the traffic will then revert to WAN1 when it is operational again.

Below is a screen shot of the example Ecessa configuration:


Please note: dead peer detection should be used on the 172.16.10.1 VPN appliance because that side should perform active testing to determine which line to attempt the connection on. 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.