This Knowledge Article will describe how to configure a Digi TransPort router to failover between 2 IPsec tunnels and recover automatically.
Configure IPsec Tunnel 0
Open the web interface of the device and navigate to Configuration - Network > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels > IPsec 0
Configure the primary IPsec tunnel Phase 2 like desired. For example :
Note : for more information on how to build an IPsec tunnel between two Digi TransPort routers, please see at the end of this article for a link to an Application Note
Makes sure that the tunnel is set to "Whenever a route to the destination is available" and if the tunnel is down and a packet is ready to be sent to "bring the tunnel up"
Repeat these steps for the second IPsec tunnel.
Configure IPsec Tunnel 0 out of service
Navigate to Configuration - Network > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels > IPsec 0 > Advanced
Check the box "Go out of service if automatic establishment fails"
Click Apply and Save Configuration.
Configure IPsec Tunnel 1 inhibit
Navigate to Configuration - Network > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels > IPsec 1 > Advanced
Under "Inhibit this IPsec tunnel when IPsec tunnels" enter 0
This option will prevent IPsec Tunnel 1 to be built if IPsec Tunnel 0 is established.
Verify failover
You can verify that the failover is happening and the second is started as soon as the first IPsec tunnel is set out of service in the eventlog :
08:55:08, 31 Oct 2014,Eroute 1 VPN up peer: responder
08:55:08, 31 Oct 2014,New IPSec SA created by responder
08:55:08, 31 Oct 2014,(1778) IKE Notification: Initial Contact,RX
08:55:08, 31 Oct 2014,(1779) IKE Notification: Responder Lifetime,RX
08:55:08, 31 Oct 2014,(1778) New Phase 2 IKE Session 37.83.216.184,Initiator
08:55:08, 31 Oct 2014,(1776) IKE Keys Negotiated. Peer: responder
08:55:07, 31 Oct 2014,(1760) IKE SA Removed. Peer: responder,Dead Peer Detected
08:55:07, 31 Oct 2014,(1776) New Phase 1 IKE Session 37.83.216.184,Initiator
08:55:07, 31 Oct 2014,IKE Request Received From Eroute 1
08:55:07, 31 Oct 2014,(1775) New Phase 1 IKE Session 90.121.123.244,Initiator
08:55:07, 31 Oct 2014,IKE Request Received From Eroute 0
08:55:07, 31 Oct 2014,Eroute 0 Out Of Service,No SAs
08:55:07, 31 Oct 2014,Eroute 0 VPN down peer: responder
08:55:07, 31 Oct 2014,IPSec SA Deleted ID responder,Dead Peer Detected
The device will however keep trying to build the IPsec tunnel 0 in the background until the remote peer comes back online/is available. At which point, the IPsec tunnel 1 will be dropped down due to the inhibit configuration.
08:59:07, 31 Oct 2014,(1789) IKE SA Removed. Peer: responder,Successful Negotiation
08:58:38, 31 Oct 2014,Eroute 1 VPN down peer: responder
08:58:38, 31 Oct 2014,IPSec SA Deleted ID responder,Eroute inhibited
08:58:38, 31 Oct 2014,Eroute 0 Available,No SAs
08:58:38, 31 Oct 2014,Eroute 0 VPN up peer: responder
08:58:38, 31 Oct 2014,New IPSec SA created by responder
08:58:38, 31 Oct 2014,(1789) IKE Notification: Initial Contact,RX
08:58:38, 31 Oct 2014,(1790) IKE Notification: Responder Lifetime,RX
08:58:38, 31 Oct 2014,(1789) New Phase 2 IKE Session 90.121.123.244,Initiator
08:58:38, 31 Oct 2014,(1788) IKE Keys Negotiated. Peer: responder
08:58:37, 31 Oct 2014,(1788) New Phase 1 IKE Session 90.121.123.244,Initiator
08:58:37, 31 Oct 2014,IKE Request Received From Eroute 0
08:58:37, 31 Oct 2014,(1787) IKE SA Removed. Peer: ,Negotiation Failure
08:58:37, 31 Oct 2014,(1787) IKE Negotiation Failed. Peer: ,Retries Exceeded
08:58:27, 31 Oct 2014,IKE Request Received From Eroute 0
08:58:17, 31 Oct 2014,IKE Request Received From Eroute 0
You can find a more in depth Application Note on how to build an IPsec tunnel between two Digi TransPort routers using Pre-Shared key like in our example at the following link :
AN10
Last updated:
Jan 09, 2024