How to Configure IPsec Failover on Omada Router in Standalone mode

Please update Omada router to the firmware which is adapted to Controller 5.8 and above.

User’s Application Scenario

IPsec Failover provides redundancy for IPsec VPN connections. If the ISP1 Internet link goes down, a failover ISP2 Internet link takes over.

Note: The USB Port can’t be used for VPN Connection, so it can’t be used for IPsec Failover either.

All traffic between networks 192.168.0.1/24 and 192.168.10.1/24 is encrypted over IPsec site-to-site VPN tunnels.

VPN tunnel through ISP1 is the Primary tunnel, if the link over ISP1 goes down, then the Secondary VPN tunnel through ISP2 will be established automatically and pass the traffic.

Once the ISP1 link recovers, the traffic will fall back to the Primary VPN tunnel.

Configuration

Step1: Configure IPsec VPN on Router1

Note: Router1 can be any router that supports IPsec VPN, here we use Omada Router as an example.

1. Go to VPN > IPsec > IPsec Policy > IPsec Policy List, click Add and enter the parameters following:

• Policy Name: test
• Mode: LAN-to-LAN
• Remote Gateway: 0.0.0.0
• WAN: WAN
• Local Subnet: 192.168.0.1/24
• Remote Subnet: 192.168.10.1/24
• Pre-shared Key: tplink
• Status: Enable

2. Click Advanced Settings, select the Negotiation Mode as Responder Mode, and keep the other parameters of Phase-1 and Phase-2 as default.

Note: You can also specify the parameters of Phase-1 and Phase-2 as you like, just make sure the Negotiation Mode of Router1 is Responder Mode, and other parameters are the same as Router2.

Step2: Configure IPsec VPN on Router2

1. Before configuring IPsec VPN on Router2, you should make sure there are two WAN ports enabled on Router2, and both WAN Ports are linked up with ISP.

2. Go to VPN > IPsec > IPsec Policy > IPsec Policy List, click Add to create the IPsec VPN Tunnel 1, and enter the parameters following:

• Policy Name: test_1
• Mode: LAN-to-LAN
• Remote Gateway: 192.168.1.114
• WAN: WAN
• Local Subnet: 192.168.10.1/24
• Remote Subnet: 192.168.0.1/24
• Pre-shared Key: tplink
• Status: Enable

3. Click Advanced Settings, select the Negotiation Mode as Initiator Mode, and specify the other parameters of Phase-1 and Phase-2 the same as Router1.

4. Click Add to create the IPsec VPN Tunnel 2, and enter the parameters following:

• Policy Name: test_2
• Mode: LAN-to-LAN
• Remote Gateway: 192.168.1.114
• WAN: WAN/LAN1
• Local Subnet: 192.168.10.1/24
• Remote Subnet: 192.168.0.1/24
• Pre-shared Key: tplink
• Status: Enable

5. Click Advanced Settings, and specify the parameters of Phase-1 and Phase-2 the same as Tunnel 1.

6. Go to VPN > IPsec > IPsec SA, you can see Tunnel 1 is established successfully.

Step3: Configure IPsec Failover on Router2

1. Go to VPN > IPsec > IPsec Policy > Failover Group, click Add to create a failover group, and specify the parameters following:

• Group Name: test_failover
• Primary IPsec: test_1
• Secondary IPsec: test_2
• Automatic Failback: Enable
• Gateway failover time-out: 10
• Status: Enable

Note: Automatic Failback is used for automatically switching back to the primary connection when it is reachable, if you want to realize this function, you should make sure the WAN port in the remote site is Pingable.

Sometimes the remote site router blocks Ping from WAN by default, in this case, it is needed to eliminate this setting.

Take Router1 and an example:

Go to Firewall > Attack Defense > Packet Anomaly Defense, uncheck the Block Ping from WAN, and click Save to save the change.

Verification Process

1. Unplug the cable from the Router2 WAN port to simulate the Internet link of ISP1 dropouts. Go to System Tools > System Log to see the process of switching from Primary Tunnel to Secondary Tunnel.

2. Go to VPN > IPsec > IPsec SA to see if the current tunnel is Secondary Tunnel.

3. Re-plug the cable to the WAN port of Router2 to simulate the reconnection of ISP1. Go to System Log to see the switching back from Secondary Tunnel to Primary Tunnel.

4. Go to VPN > IPsec > IPsec SA to see if the current tunnel is Primary Tunnel.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.