MikroTik

Community discussions
https://forum.mikrotik.com/

Two RB750, Two ISP, failover..

https://forum.mikrotik.com/viewtopic.php?t=53617

Page 1 of 1

Two RB750, Two ISP, failover..

Posted: Fri Jul 22, 2011 4:42 pm
by Multik
Hi all,

I have two Mikrotiks RB750 with two links from two ISPs in one office and two Mikrotiks RB1000 in other office with two links from ISPs. I need to create failover settings for IPSec between offices.

how i can do this with best results?

if i set VRRP between two RB750 in one office, i can't use them for Bridge failover to set IPSec between offices.

Re: Two RB750, Two ISP, failover..

Posted: Wed Jul 18, 2012 5:49 pm
by ZeroByte
You can, but the configuration gets a bit involved.

I'll call the sites A and B, and the routers A1, A2, B1, and B2

On router A1, create two IPIP tunnel interfaces "ToB1" and "ToB2"
On router A2, create the same two interfaces.
On B1 create "ToA1" and "ToA2"
On B2 create "ToA1" and "ToA2"

Assign IP addresses to each tunnel endpoint. (I recommend using /30 address, such as 192.168.255.0/30 .4/30 etc)

Ping test across the tunnels to make sure this works.

On A1, configure 2 IPSEC tunnels - match src=A1's public IP, dst=B1's public address for tunnel 1; and src=A1's Public addres, B2's public address for tunnel 2.
Do this on all 4 routers.

Ping test across the tunnels again to make sure that this is working. At this point, you are using IPSEC to encapsulate tunnel packets. (IPIP over IPSEC over IP)

Connect A1 and A2 directly to each other with a dedicated ethernet link and put a /30 private IP on the two routers.
Do the same at site B.

Configure OSPF on all 4 routers. For simplicity, use area 0 everywhere.
Add all tunnel interfaces, the private A1/A2 and B1/B2 interfaces to OSPF
Finally, add the LAN interface(s) to each rotuer's OSPF.

When complete, you will be using OSPF to protect everything. If you also configure each router to originate default routes into OSPF, you will have full protection, even if A1's ISP goes down, for instance. A2 will advertise default route to A1.

After it's all working, you can tweak your OSPF metrics (cost) to favor the best connections between sites. B1 may have a better connection to A2 than A1, for instance, so make that tunnel's cost lower than the one to A1. Make sure that the tunnels all cost more than the local physical links.

If you have the equipment necessary, I suggest setting this up in a lab before doing it on your live network, since OSPF can be confusing if you're not familiar with IP routing.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/