[AusNOG] Edgerouter Dual WAN + IPSEC

Jacob Gardiner jacob at jacobgardiner.com
Tue Jul 30 15:44:08 EST 2019


Hey mate,

Yeah there's only ever one VPN link, There's no secondary VPN currently.

I've managed to resolve the issue thanks to Russell Brooks pointing me in
the right direction. I ended up setting up a new LB config that
specifically uses the lb-local-metric-change option, this basically sets
the distance of the failover gateway to be further than the primary. IPSEC
doesn't respect the existing failover-only config i had in the default load
balancer.

 group LB-GCP {
     interface pppoe0 {
     }
     interface pppoe1 {
         failover-only
     }
     lb-local disable
     lb-local-metric-change enable
 }

I'll consider doing dual tunnels later on, it's not a priority for now.

Cheers

On Tue, 30 Jul 2019 at 15:18, Jacob Taylor <me at jacobtaylor.id.au> wrote:

> Hi Jacob,
>
> Is there only ever one VPN link up at any given time? Or do you maintain a
> “hot standby” tunnel out the failover interface in addition to the primary?
>
> It’s been a while since I’ve used an ER, but from memory the IPsec was
> policy based and not route based. If so, you should be able to setup a
> specific /32 for the remote IPsec endpoint pointing out the primary PPPoE
> interface, and if it goes down the route should be ignored and everything
> will use the backup.
>
> Regards,
> Other Jacob
>
> Sent from my iPhone
>
> > On 30 Jul 2019, at 13:51, Jacob Gardiner <jacob at jacobgardiner.com>
> wrote:
> >
> > Hey all,
> >
> > I'm troubleshooting an issue where we have an Edgerouter deployed with
> dual wan (failover only, not load balancing) with an IPSEC VPN to Google
> cloud platform.
> >
> > In particular, the DNS queries originating from the GCP side reach the
> server internally ok, but the responses seem to be load-balancing back out
> the pppoe0/1 interfaces, and only received sometimes on the remote side
> (when the response goes out pppoe0)
> >
> > If anybody's got some experience with this kind of deployment before and
> has a bit of spare brain capacity, feel free to email me direct to avoid
> spamming the list.
> >
> > I've tried various LB configs, routing table configs, DNAT configs, also
> have turned off the 'smart' auto-nat/firewall features.
> >
> > Cheers
> >
> > --
> > Jacob Gardiner
> >
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
>


-- 
Jacob Gardiner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20190730/9133e410/attachment.html>


More information about the AusNOG mailing list