Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

How can I configuring One IPSec VPN with Dual Wan ON NSA4600?

coooolincoooolin Newbie ✭

Hello


My NSA4600 has WAN1 and WAN2 , Remote has WAN3 . Can I set a VPN's failover on wan1 and wan2 ?

My Site:

WAN1 IP: [REDACTED BY @Community Manager ]

WAN2 IP: [REDACTED BY @Community Manager ]

LAN Subnet: 10.9.0.0/16

Remote Site:

WAN3 IP: [REDACTED BY @Community Manager ]

LAN Subnet: 192.168.0.0/16


Remote site have already set up Two one-to one IPSec VPNs from Remote site to My WAN1 and WAN2.

And I have already set One one-to one IPSec VPN from My site to Remote site,and my VPN Policy bound to Zone WAN


The problem now is that the two remote VPNs are constantly switching. My local VPN also keep flashing and losing packets

What should I do Next? Or , is there some wrong settings ?

Category: Firewall Management and Analytics
Reply

Best Answers

  • CORRECT ANSWER
    MustafaAMustafaA SonicWall Employee
    Answer ✓

    The reason I am asking this is that the flapping may be the result of the Remote Site trying to make two active VPN connections to your WAN1 and WAN2. Change the VPN configuration from policy based to route based two tunnel interfaces. You will have two active tunnels and the traffic will be routed through one of them, based on the metric priority of the route policy.

  • CORRECT ANSWER
    coooolincoooolin Newbie ✭
    Answer ✓

    I have tried to establish two site-to-site IPSec,but they were rejected due to identical parameters and IP addresses.😅

  • CORRECT ANSWER
    prestonpreston Enthusiast ✭✭
    edited August 2023 Answer ✓
  • CORRECT ANSWER
    AjishlalAjishlal Community Legend ✭✭✭✭✭
    Answer ✓

    @coooolin,

    I would recommend SD-WAN but you would have 2 ISP line in each location for the proper solution.


  • CORRECT ANSWER
    prestonpreston Enthusiast ✭✭
    Answer ✓

    @coooolin

    I know @Ajishlal has recommended the SDWAN method but this is only needed if you think there is going to be an issue with critical traffic which is reliant on good latency on the connection, especially as you now have it working as you wanted.

    F.Y.I. you can also set this up for Unumbered Interfaces (the route based VPN method you have already set up) it is just there is no KB document available for that way but it is the same principle without the need to add the VPN Tunnel Interfaces in the Network/Interfaces menu.

    Route Based VPN (Tunnel) (the way you have it set up currently) gives you the redundancy if you set up two policies one for each WAN and the relevant route policies.

    SDWAN with (Route Based VPN (Tunnel) just adds the extra option in the routes to failover based on SDWAN probes and choose the route based on the parameters setup in the SDWAN probes for Latency and Jitter.

    Personally I would leave it as it is as @MustafaA recommended and only look at changing to the SDWAN if you do come across any issues with latency in the future.

Answers

Sign In or Register to comment.