What's new

High Availability VPN router

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

kleeb

New Around Here
Hi everyone!

I'm new to the business and I have to solve the following scenario:

I need to set up a VPN between a head office and a branch. This VPN should be of high availability, as every transaction performed in the branch should be authorized in the head office. So I need two Internet (Wan) connections on each end-point. I only have one branch, and the the required throughput is not big. There are about 20 PCs in the head office lan, and 10 in the branch.

Can anyone recommend me a hardware and configuration for this scenario?

I investigated a bit and found the Draytek Vigor2910 has the two Wan and VPN features, but I'm not complete sure if this is the right product for me (and we don't have the resources to afford buying the wrong hardware). I think of the following solution using this product, and would like you to confirm me if this can work or I need to choose other hardware and configuration:

1) Have one Vigor2910 on the head-office with two wans in a fail-over setup and configured with a DDNS server so I can reach it from outside using always the same DNS address regardless the WAN that is actually connected with. This router should be set up as dial-in VPN server.

2) Have another Vigor2910 on the branch with two wans in a fail-over setup and configured with a DDNS server so it can authenticate to the VPN regardless the WAN that is actually connected with. This router should be set up as dial-out VPN client and "always-on".

Do I have everything covered with this or I am missing something? I'm concerned about:

A) If head-office primary WAN fails and VPN brakes, will this router automatically fail-over the secondary WAN and the branch connect to the VPN again?

B) If branch primary WAN fails and VPN brakes, will this router automatically fail-over the secondary WAN and automatically dial-out to the VPN server again?

C) When a router is working on the secondary WAN (because of a primary wan failure), when will it restore to the primary WAN connection?

D) Will LAN users on both sides be able to navigate normally on the internet while the VPN is established?

I know there are lot of questions and I appreciate your time to read this.

Thanks very much!
 
Moved the thread to a different subforum where you might have better luck.
 
I think your plan is basically ok. The main question is whether the VPN tunnels are automatically re-established when the WAN connection switches over. I'm sorry, but others will need to answer that.

As far as when the connection switches from secondary back to primary, it should switch when the primary connection comes back up.
 
I think your plan is basically ok. The main question is whether the VPN tunnels are automatically re-established when the WAN connection switches over.

Yes, I'm mainly concerned about that as well. Please, if someone who has experience can answer that, that would be very helpful for me, I'm running out of time and I need to set up the VPN soon.

I would make a modification to the plan: Use both wan connections simultaneously, but primary for VPN only and other for rest of internet traffic, I see that this router allows to do this, right?

Thanks very much,
kleeb
 
I'm not familiar with the Vigor 2910. But many dual-WAN routers let you direct services to specific WAN connections.
 
VPN-Failover

It should work, so long as you setup the VPN failover in the router. You'll want to have the main node to always be dial in, and the other spoke nodes to always be dial out.

Currently I have several different routers, but I have 2 offices (spokes) with the 2810 connected to a 2950 (hub) with failover configured. If I take down WAN1 (main wan for VPN) on the 2950, after several seconds the other routers detect the change and change over to WAN2. They keep trying to connect via WAN1 every so many seconds (I think this is 60 on the 2910) and if the interface comes back up the vpn connects and the 2910's drop the secondary (WAN2) connection.

When it comes to Inbound/Outbound wan traffic, so long as you have load balancing or failover configured, you won't notice the sub-second blip as the router shifts all traffic out the other port. I usually configure the routers so that all ports are open across both IPs.

Make sure you have the latest firmware before doing anything. If you run into a bind, Draytek's tech support (via email) is top notch: http://www.draytek.com/user/SupportEmailto.php
 
VPN failover

Thanks rolaids! Your replay was very helpful... Now I can order the hardware, will do it asap.

I have checked the documentation on Draytek's web site to have an idea of how to setup the VPN failover. Do you mean I have to setup a "VPN trunk"? Or I just need to configure the dial-in and dial-out VPNs as "WAN 1 first" to fail-over automatically to WAN2?
Will I have any issue by having both IPs in both sides dynamic?

Regarding the Inbound/Outbound wan traffic, you mean it's not worth to set up manual rules to direct VPN traffic to WAN1 and rest of internet traffic to WAN2 as automatic load balancing will handle this?

Thanks again for your time!
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top