[SOLVED] Router with more than one backup VPN tunnel?

[nic01]

Hello.
I have 2 offices connected to the Internet with Cisco RV042 Dual-WAN routers (they are old, I know). Both routers have 2 different ISPs connected on their respective WAN1 & WAN2 interfaces - if the one on WAN1 fails, the other one takes over. They are also connected directly through a VPN tunnel on their WAN1 interfaces, which, if it fails, may be replaced by a backup tunnel. However, this backup tunnel may only be configured to pass either through the local WAN2 interface OR the remote router's WAN2 interface. (Screenshot). There is no option if ISP1 fails in both offices (on both WAN1 interfaces) and you have to make the new tunnel between the local WAN2 interface and the remote WAN2 interface.

Is there a small-business class router that offers this functionality, or one that allows for at least two backup VPN tunnels?

Thanks in advance.

 

[bill001g]

Cisco enterprise routers should have no issues doing this. If this is one of their cheap models maybe not.

All you do is create 4 tunnels. 1-1, 1-2, 2-1, 2-2. You then run a routing protocol like OSPF to switch between them. You can technically could pass traffic over both with careful OSPF tuning.

Most cisco routers also support DMVPN but that is used in a more complex setup

 

[nic01]

Yes, enterprise routers will have no problem with this, and I am also familiar with DMVPN, but they are too expensive. I am looking for a consumer/small business router similar to the RV042. Also may not be Cisco, maybe TP-LINK or something like that.

 

[bill001g]

Likely your best option is going to be some third party firmware like dd-wrt. Be aware that the cpu is the limiting factor in almost all vpn. You might be better off with a small multinic pc on both ends running one of the linux router/firewall images. Even a very low power pc is going to out perform almost any router.

 

[SamirD]

All you do is create 4 tunnels. 1-1, 1-2, 2-1, 2-2. You then run a routing protocol like OSPF to switch between them. You can technically could pass traffic over both with careful OSPF tuning.

This is really interesting. How would one do this conceptually, mainly use OSPF as I've never messed with it. I'd love to have this type of redundancy on our ipsec tunnels and our hardware is probably up to the job as well--just never messed with it.

 

[bill001g]

Not sure your question. The OSPF is just a matter of telling the router that the end points of each tunnel is in a OSPF area. For simplicity you could just stick it all in area 0. OSPF by itself will form adjacency over the link. Key will be that the IPSEC needs to be a point to point link. There is some issue on some platforms with passing multicast over ipsec without gre but you have to read the detail on configuring it. It can be done on every platform I have seen.

After that you set OSPF metric to determine primary and secondary path. The standard OSPF hello messages are used to detect the down condition and switch.