Re: Dual wan Dual vpn utm9s

mosquiton · ‎2016-07-25

Hi everyone,

is my first time i face a netgear firewall, anda sicerely i'm having some problem with a configuration,

i have 2 utm9s and it was asked to me to configure them in dual wan dua vpn mode.

let me be more specific, we have 2 site with each one with 2 broadband connection and public ip.

the aim is to make 2 vpn tunnel with failover over the 2 separate wan connection,

the problem is, when i set up using the wizard it says that the configuration is invalid.

on the manual i've seen that technically is possible , but i don't know how....

thanks everyone

omicron_persei8 · ‎2016-07-25

Hi,

As far as I know, setting up two IPSec VPN connections between the same two routers is not the way to go.

It's not going to work because the VPN policies will conflict each other ("the destination subnet foo must go through the VPN bar" rule must be unique).

To configure this properly, you need to use rollover inside the VPN policy, on both side. And because you can only set one IP address as remote endpoint, you must use an FQDN.

The roll-over option determines which WAN interface use as outbound, and the FQDN as remote endpoint determines which remote IP address is used for the communication.

View solution in original post

DaneA · ‎2016-07-25

Hi mosquiton,

Welcome to the community! 🙂

Have you tried to create another VPN policy on the UTM9s located on the remote location with WAN 2 port as the peer box-to-box connection? Also, you may try using FQDN because I think that for auto-rollover mode, you need a fully qualified domain name (FQDN) to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address.

Regards,

DaneA

NETGEAR Community Team

mosquiton · ‎2016-07-25

Hi!

Thanks for the welcome!

i've created 2 vpn policies on every box, on the reference manual of utm9s there's a picture that represent the exact scenario that i'm facing off.

exactly at page 635 of "UTM_RM_15Oct2012".

i hope fqdn will not be required

DaneA · ‎2016-07-25

Hi mosquiton,

I believe you are referring to Figure 373 from page 635 of the UTM reference manual here. Kindly answer my questions below:

a. Are your WAN IP addresses fixed (static) or dynamic?

b. What is the current firmware version of the 2 UTM9s?

Regards,

DaneA

NETGEAR Community Team

mosquiton · ‎2016-07-25

hi DaneA,

thank you for your support, you are very kind,

yes exactly that figure.

the ip addresses are static and given from the isp, the firmware is the 3.6.2-4.

there's 2 broadband connection on each site with 4 public and static ip

if i set up only one vpn tunnel everything looks and works good, troubles begin when i try to setup the second link.

unfortunately theres no documentation from netgear to set up that kind of scenario...

tnx

omicron_persei8 · ‎2016-07-25

Hi,

As far as I know, setting up two IPSec VPN connections between the same two routers is not the way to go.

It's not going to work because the VPN policies will conflict each other ("the destination subnet foo must go through the VPN bar" rule must be unique).

To configure this properly, you need to use rollover inside the VPN policy, on both side. And because you can only set one IP address as remote endpoint, you must use an FQDN.

The roll-over option determines which WAN interface use as outbound, and the FQDN as remote endpoint determines which remote IP address is used for the communication.

mosquiton · ‎2016-07-26

Thank you so much for your feedback, i'll give it a try!!

DaneA · ‎2016-07-31

Hi mosquiton,

We’d greatly appreciate hearing your feedback letting us know if the information I’ve provided has helped resolve your concern or if you need further assistance. If ever your concern has been resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!

Regards,

DaneA

NETGEAR Community Team

mosquiton · ‎2016-08-02

I've appreciated a lot your help! great community, i'll put next week the solution in production, i'm still testing it in lab, i'll post soon my feedback. Thanks everyone!

DaneA · ‎2016-08-09

Hi mosquiton,

Just want to follow-up on this. Were you able to test it in your laboratory? Kindly keep us posted.

Regards,

DaneA

NETGEAR Community Team

mosquiton · ‎2016-08-10

Hi DaneA,

actually there's no way to make it works,

both in real scenario and lab, the dual vpn mode simply doesn't works...

occasionally one vpn get up, than after some time, it drops.

The vpns alternate each other in gettin up, with some priority for the one on the first wan.

Now i'm trying to access to cli mode, but i can't find any documentation about.

I'll keep posting my result.

Tnx everyone