IPSec with VRRP

**WolfR1der** · 06-27-2019, 08:55 AM

We are implementing a new network setup at a new data center and have the option of a high bandwidth Internet connection replacing our leased lines. I am looking into the options and Untangle is always among them.
In order to connect the new data center to the existing sites we would need to do IPSec VPNs from a pair of VRRP'd Untangle firewalls to Cisco devices. Naturally I assume this works and works well but I had to ping here to see if my assertions are correct.

Also on the back end these Untangle devices need to support OSPF to Cisco devices but I assume that would work fine since OSPF is a standard that neither entity has domain over, no? Thus OSPF between a Cisco and Untangle device should work.

**jcoffin** · 06-27-2019, 09:59 AM

In working with Cisco equipment over the years including coding, Cisco seems to have their own favor of standards. So YMMV.

**sky-knight** · 06-27-2019, 10:02 AM

Yeah, I've never done this but been curious about it a few times. Because VRRP doesn't really get involved here. You have a tunnel per device, and you use OSPF to keep the routing loops under control.

All the moving parts are there, but if any of them is off for whatever reason... splat.

All I can say is... Good luck! And be glad you aren't trying this with Meraki! It doesn't have IKEV2 support, now Untangle can do v1, but Meraki's v1 is stupidly picky.

**WolfR1der** · 06-27-2019, 10:13 AM

Ok let's back up a bit and say I was going UT to UT, both ends are VRRP clusters and they're doing IPSec tunnels between each other. How well do they stay connected and/or reconnect if say the active node drops for whatever reason?

**sky-knight** · 06-27-2019, 10:22 AM

As I understand it, VRRP is irrelevant. You have a separate tunnel for each interface pair you want to connect.

I would double check with support to see if you can't get away with terminating on the VRRP address instead, because that makes things much simpler.

OpenVPN is available on the VRRP address, so when I do VRRP on OpenVPN stuff, if a router dies I just have some tunnels that need rebuilding, they usually do it all on their own. Sometimes I have to power cycle the OpenVPN app.

**WolfR1der** · 06-27-2019, 12:40 PM

Not OpenVPN, IPSec VPN. I want to establish site to site tunnels that come up on their own when interesting traffic presents itself.
So I'm curious how the IPSec VPN works on the VRRP interface. If this is even worth pursuing?

**sky-knight** · 06-27-2019, 01:12 PM

As I said, I'm not sure because I've never done it. However, the fact that OpenVPN operates off the VRRP shared IP address tells me that IPSec most likely can as well. As far as I know the only things that don't operate off the aliases in question are the http/https management services.

Thread: IPSec with VRRP

LinkBack

Thread Tools

IPSec with VRRP

Posting Permissions