Question

RUT950 V7.0.3 with 2 IPSEC VPN configured one as Main and other as backup as per attached image. Backup VPN points to another public IP address with another provider different from the Main one.

Main is set as Mode=Start and backup _b is set as Route. Although these setting, every time I reboot the router, it starts the VPN _b (backup). No way to have it on the Main unless I disable _b.

Any idea?

Thanks

Answer 1

Hello,

  

Thank you for reaching out!

Unfortunately, it seems like at the moment in our strongSwan implementation it is not possible to set up "passive" tunnels, that only connect if the main tunnel is down.
However, running both tunnels at the same time should not be an issue for the RUT950 (unless the remote subnets overlap for both instances).

  

Best regards,
DaumantasG

Comments

Thank you for the answer, but is there a way to say to RUT950 to use the first one in the order? Or which kind of logic is used to determine the connection order?

If I revert the order in the list?

Thanks

regards

---

Tested it, and it seems like the instance that was created first, receives a metric of 1, as the next instances will have a +1 metric when compared to the previous.

So to answer your question - the higher the instance is in the list - the higher priority it will have.

Best regards,
DaumantasG

---

Hi DaumantasG,

This doesn't explain why on my settings the_b instance is always used as higher priority.

This happens always

Regards

Matteo

---

Please navigate to System → Administration → Troubleshoot and generate a Troubleshoot file. It can be attached to the original post and will only be visible to Teltonika moderators. It will give me some more insight into your configuration.

  

Best regards,
DaumantasG

---

Here it is, thanks

Matteo

---

It seems like the main instance does not even establish in the logs, could you try removing the rightdns option so that there would be no variables between the two instances?

Second, in both instances, local and remote subnets are specified as the same. This may be causing all of the issues in question. As a workaround, you could create separate VLANs for different IPsec instances. This way they both could be running at the same time.

Best regards,
DaumantasG

---

I've removed the rightdns option, now blank. No change

We have several RUT950 installed with V6 firmware running this way which doesn't exhibit this issue. It seems that something has changed with V7.x firmware

LAN address should be indentical otherwise how can access the remoted endpoints on the VPN?

I'll try to revert the order so this can possibly change the priority level, but I guess a Priority option in IPSEC settings would help a lot in this case.

Matteo

---

Hello,

  

If this setup worked in v6 firmware, I recommend using that until this feature is fully supported in v7.

However, I don't see any plans from our RnD team to implement a high availability mode at the moment, so it might take a while. Your suggestion is noted and will be forwarded to the RnD team.

Priority options, in this case, would be a 'band-aid' solution to the issue.

  

Best regards,
DaumantasG

---

Hello,

the problem to remain with v6 firmware is that we would like to use RUTXR1 but I think that this device can't run with this  previous version. Isn't it?

regards

---

If you already have the device, you could test it out with v0.2.6, as that shares most of the logic with v6.

If that does not help, I'm afraid the only option is to wait for the implementation of this IPsec module.

Best regards,
DaumantasG

---

But I can find only the fw V7.02.6. Is this the one you refer to?

Best regards

---

This is the FW I was reffering to.

Best regards,
DaumantasG

---

Hi,

just to let you know that swapping the VPN order in IPSEC config during the creation of them had solved the start order. This have been proven on two different RUT950 units