This article will show you how to configure a VPN connection failover with USG FLEX / ATP / VPN Series using a site-to-site tunnel with Trunk Failover and VPN Concentrator. Using Dual-WAN to perform fail-over on a hub-and-spoke VPN with the HQ ZyWALL/USG as the hub and spoke VPNs to Branches A and B.
1) Configure VPN Failover via Trunk Failover
Scenario (Trunk Failover)
The customer has 2 different WAN IPs with two VPN connections at the branch site. One of them is a dynamic IP.
In case the WAN1 connection goes down for any reason the WAN2 interface should be used as Failover to keep the tunnel alive.
How to set up the VPN client connection Failover?
1.1 Configure the WAN Failover via Trunk Settings
In the web GUI, go to the Configuration > Network > Interface > Trunk > User configuration > Add screen.
Set WAN2’s mode to Passive.
1.2 Configure Disconnect Connections Before Falling Back
Enable "Disconnect Connections Before Falling Back".
1.3 Configure the VPN Gateway
Go to Configuration > VPN > IPSec VPN > VPN Gateway.
On the Branch side:
Set My Address-> Domain Name/IPvSet4 to "0.0.0.0.0.0" (USG will connect to the active WAN interface first).
On the HQ side:
Since the IP address of the WAN2 interface in the Branch side is dynamic, the "Peer Gateway Address" on the HQ side must be set to "Dynamic address". Alternatively, a Dynamic DNS can be setup and used in the Static Address field.
Please make sure to use the connectivity check on both sides:
1.4 Configure Client-side-VPN-Failover via SSH
Enter the following command via SSH on the device:
Router(config)# client-side-vpn-failover-fallback activate
Afterwards, the tunnel will fall back to WAN1 automatically once the WAN1 connection has recovered.
2) Configure VPN Failover via VPN Concentrator
Scenario (VPN Concentrator)
When the VPN tunnel is configured, traffic passes between branches via the hub (HQ).
Traffic can also pass between spoke-and-spoke through the hub. If the primary WAN interface is unavailable, the backup WAN interface will be used.
When the primary WAN interface is available again, traffic will use that interface again.
2.1 Configure Hub_HQ-to-Branch_A
1 Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable.
Type the VPN Gateway Name used to identify this VPN gateway.
Configure the Primary Gateway IP as the Branch A’s wan1 IP address (in the example, 172.16.20.1) and Secondary Gateway IP as the Branch A’s wan2 IP address (in the example, 172.100.120.1).
Select Fall back to Primary Peer Gateway when possible and set desired Fall Back Check Interval time.
Type a secure Pre-Shared Key (8-32 characters) which must match your Branch A’s Pre-Shared Key and click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway
2 Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable.
Type the Connection Name used to identify this VPN connection.
Select scenario as Site-to-site and VPN Gateway which is configured in Step 1.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway
Click Create new Object to add the address of local network behind Hub_HQ and an address of local network behind Branch A.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object
Set Local Policy to be Hub_HQ and Remote Policy to Branch_A which are newly created. Click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy
2.2 Configure Hub_HQ-to-Branch_B
1 Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway.
Then, configure the Primary Gateway IP as the Branch B’s wan1 IP address (in the example, 172.16.30.1) and Secondary Gateway IP as the Branch B’s wan2IP address (in the example, 172.100.130.1).
Select Fall back to Primary Peer Gateway when possible and set desired Fall Back Check Interval time.
Type a secure Pre-Shared Key (8-32 characters) which must match your Branch A’s Pre-Shared Key and click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway
2 Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to enable VPN Connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway
Click Create new Object to add an address of local network behind Hub_HQ and an address of local network behind Branch B.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object
Set Local Policy to be Hub_HQ and Remote Policy to Branch_B which are newly created. Click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy
2.3 Configure Hub_HQ Concentrator
1 In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > Concentrator, add a VPN Concentrator rule. Select VPN tunnels to the same member group and click Save.
2.4 Configure Spoke_Branch_A
1 Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway.
Then, configure the Primary Gateway IP as the Hub_HQ’s wan1 IP address (in the example, 172.16.10.1) and Secondary Gateway IP as the Hub_HQ’s wan2 IP address (in the example, 172.100.110.1). Select Fall back to Primary Peer Gateway when possible and set desired Fall Back Check Interval time.
Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway
2 Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway
Click Create new Object to add the address of local network behind Branch A and an address of local network behind Hub_HQ
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object
Set Local Policy to be Spoke_Branch_A_LOCAL and Remote Policy to Hub_HQ which are newly created. Click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy
3 Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_A to Spoke_Branch_B.
Click Create new Object and set the address to be the local network behind the Spoke_Branch_B. Select Source Address to be the local network behind the Spoke_Branch_A. Then, scroll down the Destination Address list to choose the newly created Spoke_Branch_B_LOCAL address. Click OK.
Network > Routing > Policy Route
2.5 Configure Spoke_Branch_B
1 Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway.
Then, configure the Primary Gateway IP as the Hub_HQ’s wan1 IP address (in the example, 172.16.10.1) and Secondary Gateway IP as the Hub_HQ’s wan2 IP address (in the example, 172.100.110.1). Select Fall back to Primary Peer Gateway when possible and set desired Fall Back Check Interval time.
Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway
2 Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway
Click Create new Object to add the address of local network behind Branch B and an address of local network behind Hub_HQ.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object
Set Local Policy to be Spoke_Branch_B_LOCAL and Remote Policy to Hub_HQ which are newly created. Click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy
3 Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_B to Spoke_Branch_A.
Click Create new Object and set the address to be the local network behind the Spoke_Branch_A. Select Source Address to be the local network behind the Spoke_Branch_B. Then, scroll down the Destination Address list to choose the newly created Spoke_Branch_A_LOCAL address. Click OK.
Network > Routing > Policy Route
2.6 Test the IPSec VPN Tunnel
1 Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection
Spoke_Branch_A > CONFIGURATION > VPN > IPSec VPN > VPN Connection
Spoke_Branch_B > CONFIGURATION > VPN > IPSec VPN > VPN Connection
2 Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity.
Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_A
Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_B
Spoke_Branch_B > MONITOR > VPN Monitor > IPSec
Spoke_Branch_A > MONITOR > VPN Monitor > IPSec
2.7 What Can Go Wrong?
1 If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
2 If you see that Phase 1 IKE SA process done but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings. All ZyWALL/USG units must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
3 Make sure the all ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
4 By default, NAT traversal is enabled on ZyWALL/USG, so please make sure the remote IPSec device also has NAT traversal enabled.
KB-00162