Im guessing it can be done, but ..failover on Sonicwall?

[knc]

Im trying to figure out how to create an automatic fail over on a second wan in a Sonicwall. We need to keep the VPN tunnels up.... Hmm this will be complicated as the failover (DSL probably) will have their own IP's (public) for the VPN tunnels.....
And the tunnels which reach out to three locations will be affected if the failover happens on one wan and not all.

i.e. router one (receives the two other connections) has a static IP as (for argument's sake) 1.1.1.1
and router two will be 2.2.2.2 router three will be 3.3.3.3 on Cable and the vpn's point to 1.1.1.1 from 2 and 3..

So the internett fails and the DSL picks up, main site will have a static ip of 4.4.4.4... inet is working fine in site 2 and 3. So they won't know of a static ip change on the main..

Im not sure this can be done..

am I over complicating this?

 

[knc]

I revised my question up above... Ignore this..

 

[OaksLabs]

Are you trying to protect against ISP failure or router failure? Fail over usually is referring to switching to a different ISP if the primary internet connection drops.

If you want to protect against router failure (because your routers run your VPN tunnel) some routers can do this, but the hardware price will be quite a bit higher.

VPNs have a lot of moving parts in the background (depending on what type of VPN you're using). They don't like any connectivity interruptions. While the fail over technology is useful, it normally involves changing public IP addresses -- and that would cause a VPN security issue because it looks like a man in the middle attack.

 

[knc]

YES and YES..
Apparently Sonciwall can do an ISP/Wan failover so that is easy. But the hard piece (I think) is when ISP 1 goes down at main site Router at site B has to know this has happened and setup VPN tunnel on new ip..

 

[ZenTree]

Just throwing it out there, can you initiate the VPN from site 1 -> 2 instead of 2 -> 1. This way if 2 is set to allow a VPN connection from either the primary or failover WAN IP it would still connect through. Aka the destination IP doesn't change this way, just the source.

That's working on the assumption you don't have the same setup at 2 and 3 with a failover line....

 

[BlackLabTechs]

Look at my post in the other one you created....

https://www.technibble.com/forums/t...l-question-multi-homed-vpn.67211/#post-524584

 

[Nerm]

If the setup is 2x WAN's at HQ and just 1 WAN at each remote site and all are Sonicwall then the suggestion blacklabtechs made in your other thread should be your resolution. Doesn't scale very well but depending on your needs scalability may not be a concern.