Support / Knowledge Base / Automatic failover between 2 IPsec tunnels on Digi TransPort

Automatic failover between 2 IPsec tunnels on Digi TransPort

This Knowledge Article will describe how to configure a Digi TransPort router to failover between 2 IPsec tunnels and recover automatically.

Configure IPsec Tunnel 0

Open the web interface of the device and navigate to Configuration - Network > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels > IPsec 0

Configure the primary IPsec tunnel Phase 2 like desired. For example  :

Note : for more information on how to build an IPsec tunnel between two Digi TransPort routers, please see at the end of this article for a link to an Application Note

ipsec 0 phase 2

Makes sure that the tunnel is set to "Whenever a route to the destination is available" and if the tunnel is down and a packet is ready to be sent to "bring the tunnel up"

tunnel up config

Repeat these steps for the second IPsec tunnel.

Configure IPsec Tunnel 0 out of service

Navigate to Configuration - Network > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels > IPsec 0 > Advanced

Check the box "Go out of service if automatic establishment fails"

out of service


Click Apply and Save Configuration.


Configure IPsec Tunnel 1 inhibit

Navigate to Configuration - Network > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels > IPsec 1 > Advanced

Under "Inhibit this IPsec tunnel when IPsec tunnels" enter 0

tunnel 1 inhibit


This option will prevent IPsec Tunnel 1 to be built if IPsec Tunnel 0 is established.

Verify failover

You can verify that the failover is happening and the second is started as soon as the first IPsec tunnel is set out of service in the eventlog :



08:55:08, 31 Oct 2014,Eroute 1 VPN up peer: responder
08:55:08, 31 Oct 2014,New IPSec SA created by responder
08:55:08, 31 Oct 2014,(1778) IKE Notification: Initial Contact,RX
08:55:08, 31 Oct 2014,(1779) IKE Notification: Responder Lifetime,RX
08:55:08, 31 Oct 2014,(1778) New Phase 2 IKE Session  37.83.216.184,Initiator
08:55:08, 31 Oct 2014,(1776) IKE Keys Negotiated. Peer: responder
08:55:07, 31 Oct 2014,(1760) IKE SA Removed. Peer: responder,Dead Peer Detected
08:55:07, 31 Oct 2014,(1776) New Phase 1 IKE Session 37.83.216.184,Initiator
08:55:07, 31 Oct 2014,IKE Request Received From Eroute 1
08:55:07, 31 Oct 2014,(1775) New Phase 1 IKE Session  90.121.123.244,Initiator
08:55:07, 31 Oct 2014,IKE Request Received From Eroute 0
08:55:07, 31 Oct 2014,Eroute 0 Out Of Service,No SAs
08:55:07, 31 Oct 2014,Eroute 0 VPN down peer: responder
08:55:07, 31 Oct 2014,IPSec SA Deleted ID responder,Dead Peer Detected

The device will however keep trying to build the IPsec tunnel 0 in the background until the remote peer comes back online/is available. At which point, the IPsec tunnel 1 will be dropped down due to the inhibit configuration.

08:59:07, 31 Oct 2014,(1789) IKE SA Removed. Peer: responder,Successful Negotiation
08:58:38, 31 Oct 2014,Eroute 1 VPN down peer: responder
08:58:38, 31 Oct 2014,IPSec SA Deleted ID responder,Eroute inhibited
08:58:38, 31 Oct 2014,Eroute 0 Available,No SAs
08:58:38, 31 Oct 2014,Eroute 0 VPN up peer: responder
08:58:38, 31 Oct 2014,New IPSec SA created by responder
08:58:38, 31 Oct 2014,(1789) IKE Notification: Initial Contact,RX
08:58:38, 31 Oct 2014,(1790) IKE Notification: Responder Lifetime,RX
08:58:38, 31 Oct 2014,(1789) New Phase 2 IKE Session 90.121.123.244,Initiator
08:58:38, 31 Oct 2014,(1788) IKE Keys Negotiated. Peer: responder
08:58:37, 31 Oct 2014,(1788) New Phase 1 IKE Session 90.121.123.244,Initiator
08:58:37, 31 Oct 2014,IKE Request Received From Eroute 0
08:58:37, 31 Oct 2014,(1787) IKE SA Removed. Peer: ,Negotiation Failure
08:58:37, 31 Oct 2014,(1787) IKE Negotiation Failed. Peer: ,Retries Exceeded
08:58:27, 31 Oct 2014,IKE Request Received From Eroute 0
08:58:17, 31 Oct 2014,IKE Request Received From Eroute 0

You can find a more in depth Application Note on how to build an IPsec tunnel between two Digi TransPort routers using Pre-Shared key like in our example at the following link :

http://ftp1.digi.com/support/documentation/AN_010_IPSec_Over_Cellular_using_Digi_Transport_Routers.pdf

 
Last updated: Aug 23, 2017

Filed Under

Cellular/Transport

Recently Viewed Articles

No recently viewed articles
Contact a Digi expert and get started today! Contact Us