I have two XG firewalls. Each FW has 2 wan connections. My goal is to setup an IPSEC vpn between the two sites, using the 2 different WAN links.
I can do this pretty easily using a VPN failover group, but turning on VPN Failover disables dead peer detection. VPN failover only works if a gateway goes down, it won't notice if a tunnel is down.
Is there a way to setup the VPNs between the 2 sites that will work with DPD? SInce the two VPNs use different gateways, I can actually bring them both online at the same time, but I can only imagine what a mess it would make with traffic routing if both VPNS were up at the same time.
Use VTI (Route based VPN) in XGv18.
It can establish both tunnels at the same time and the routing stack will take over. Use static routing or SD-PBR Routing to do so.
Any thoughts for v17? I played with RED tunnels and static routing, but I can't get failover there. And policy based routing on a RED tunnel doesn't seem to work.
V18 would also solve this limitation on RED.
So the upgrade would actually be the best case for you.
So SD-WAN policy routing in v18 supports RED tunnels? Seems like it might be easier to maintain control then with ROute BAsed VPN. I Looked at your reference article, but I don't see how that applies to multiple IPSEC tunnels to/from the same locations. Would it just be multiple tunnels with multiple routing options? Hopefully if a tunnel was down it would remove/skip that policy route in favor of a route that was up and passing traffic.