Applicable Version: 10.00 onwards
Cyberoam VPN Connection Failover is a feature that enables to provide an automatic backup connection for VPN traffic and provideAlways ONVPN connectivity for IPSec and L2TP connections.
A VPN tunnel allows you to access remote servers and applications with total security. With VPN auto failover, a VPN connection to be re-established when one of the two WAN connections drops. Solution also achieves failover latency of a few seconds by constantly monitoring the link and instantaneously switching over in the event of a failure.
VPN Failover and Failback advantages:
· Reduce the possibility of a single point of failure.
· Reduce the reliance on manual intervention to establish new connection.
· Reduce the failover time of a VPN connection with redundant VPN tunnels and VPN monitoring.
Cyberoam implements failover using VPN connection Group.
A VPN group is a set of VPN tunnel configurations. The Phase 1 and Phase 2 security parameters for each connection in a group can be different or identical except for the IP address of the remote gateway. The order of connections in the Group defines fail over priority of the connection.
Connection included in the Group must be activated and manually connected for the first time before participating in the failover.Connection will not failover to the subsequent Connection if it is manually disconnected.
When the primary connection fails, the subsequent active connection in the Group takes over without manual intervention and keeps traffic moving. The entire process is transparent to users.
· Local Gateway fails – for Road warrior connection.
Cyberoam VPN failover can be deployed in any number of possible configurations and support remote/branch offices to seamlessly establish a VPN connection to a secondary gateway, should the connection to the primary gateway be terminated, allowing for continuous uptime.
Set up VPN redundant tunnel in network with multiple gateways
Article features a detailed configuration example that demonstrates how to set up a redundant IPSec VPN tunnel that uses preshared keys for authentication purposes.
The following sections are included:
In the example and throughout the article, below given IP addresses are assigned to Cyberoam deployed at headquarter and branch. Follow the steps for setting up the redundant VPN tunnel (failover) configuration to create a VPN tunnel among Houston branch (Cyberoam_BO) and the New York Head office (Cyberoam_HO) network.
IP addressing scheme
|New York office (Cyberoam_HO)|
|LAN IP address||10.10.10.0/24|
|WAN IP address||192.168.1.1 (Gateway 1)|
|WAN IP address||192.168.2.1 (Gateway 2)|
|Spoke 1 – Huston Branch (Cyberoam_BR)|
|LAN IP address||10.10.20.0/24|
|WAN IP address||192.168.3.1 (Gateway 3)|
|WAN IP address||192.168.4.1 (Gateway 4)|
You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).
Step 1: Configure Connection at New York
Create IPSec connection on New York (Cyberoam_HO).
As Cyberoam is configured with 2 gateways, we will create total 4 tunnels/connections i.e. 2 tunnels per gateway.
· Connection 1: Establishing tunnel between Gateway 1 and Gateway 3 of Houston branch
· Connection 2: Establishing tunnel between Gateway 1 and Gateway 4 of Houston branch
· Connection 3: Establishing tunnel between Gateway 2 and Gateway 3 of Houston branch
· Connection 4: Establishing tunnel between Gateway 2 and Gateway 4 of Houston branch
Refer the article Establish Site-to-Site IPSec Connection using Preshared key to create Site-to-Site IPSec Connection
Create IPSec connection on Houston branch (Houston_BO).
Similarly, create the following tunnels/connections.
· Connection 1: Establishing tunnel between Gateway 3 and Gateway 1 of New York
· Connection 2: Establishing tunnel between Gateway 3 and Gateway 2 of New York
· Connection 3: Establishing tunnel between Gateway 4 and Gateway 1 of New York
· Connection 4: Establishing tunnel between Gateway 4 and Gateway 2 of New York
Connection Group Details
Specify a name to identify the failover group.
|Select Connections||Member Connections
|Available Connections list displays the list of connections that can be added to the failover group. Click on the connections to be added to Member connections list. Appliance will select the subsequent active connection from Member Connections list if primary connection fails.
Top down order of connections in the Member Connections list specifies the failover preference i.e. if primary connection fails, the very next connection in the list will be used by Appliance to keep the VPN traffic moving.
Once the connection is included in any Group, it will not be displayed in ‘Available Connection’ list.
Remote Access connections will not be listed in ‘Available Connections’ list.
You need to define minimum 2 member connections in a Group.
Initially, only one tunnel is active and established between the peers over Gateway 3 and Gateway 2. All other tunnels are in standby mode.
Example: WAN link on Gateway 2 at New York office goes down
As defined in the failover group, the second connection – Gateway 3 – Gateway 1 gets connected and traffic is send through this new tunnel.