Assuring IPSec site-2-site tunnels use a certain WAN interface from Uplink Balancing

Question

I'm currently using Uplink Balancing with one active WAN (WAN1) and one standby WAN (WAN-BAK) interface for failover. 
 I have prepared a WAN2 interface (to another ISP) and would like to add it to active interfaces in order to provide a smooth transition from one ISP to the other. 
 I assume I would loose control regarding which of the active WAN interface is being used for IPSec tunnel connections. My IPSec tunnels can only work with WAN1 since the other site is configured to accept connections only from WAN1. 
 Is there a way to ensure a certain IPSec tunnel (I currently have 2 of them) uses a certain WAN interface? 
 Can this rules/assignment be also done for LAN subnets (I have several of them)? 
 When everything is in place I would like to have the possibility to move IPSec tunnels and subnets from using WAN1 to using WAN2 one after the other. 
 Can this be done using Policy Rules? What would be an example configuration for a IPSec tunnel or subnet?

apijnappels · Accepted Answer

For the IPSec connection this is not an issue; you specifically choose the interface that is used to make the connection, so if the right one is chosen that would not be a problem. 
 
 Just make sure to NOT use Uplink Interfaces but choose the one from WAN1. 
 As for the LAN traffic you can create multipath routes for that: 
 
 Create the rule "by interface" and select the source client(s) or networks, the service and the destination. If needed all can be 'any'. 
 As for moving the IPSEC's one by one, this can only be done manually since the other side of the connection would also need to use the IP-address from WAN2 unless they are on "Respond only", but as far as I know you must anyway change the VPN connections interface manually (as by my first picture) which doesn't take too much time...

Assuring IPSec site-2-site tunnels use a certain WAN interface from Uplink Balancing

Top Replies