0

Our organization uses Sonicwall devices as our gateway/firewall for all of our locations, with VPN tunnels between each of them. Each site also has a primary and backup internet line (WAN1 and WAN2), with the secondary typically being slower than the primary.

When configuring VPN tunnels, you can specify a primary and secondary "IPSec gateway name/address". Typically, we set the primary VPN gateway to be the other location's public WAN1 IP. However, what would happen in this situation...?

Site 1 WAN1: 192.168.100.1, WAN2: 172.16.100.1
Site 2 WAN1: 192.168.200.1, WAN2: 172.16.200.1

Site 1 primary VPN pointing to 192.168.200.1, secondary pointing to 172.16.200.1
Site 2 primary VPN pointing to 172.16.100.1, secondary pointing to 192.168.100.1

(notice the second site has its connections reversed)

What determines how the connection is made? Does it depend on which device receives the "VPN handshake" packet first, or will there be two parallel tunnels made, with the tunnel used depending on what side the traffic originates from? Ideally, both primary links should be connected to each other, so I'm curious as to how it works to make sure no problems occur.

Bigbio2002
  • 2,763
  • 11
  • 34
  • 51

1 Answers1

0

I haven't been able to find anything definitive from the Sonicwall documentation about this particular situation, but I think what you may have in place are Route Based VPNs.

Also after more than one tunnel interface is configured, you can add multiple overlapping static routes; each static route uses a different tunnel interface to route the traffic. This provides routing redundancy for the traffic to reach the destination.

I think the tunnels are probably configured in this way more as an exercise than for any particular reasoning. Possibly to not have a faster and slower tunnel, but two more balanced ones?

So in the end, the primary or secondary is determined by the routes, not the tunnels. On pages 15-18, you can find a similar situation to yours.

NickW
  • 10,183
  • 1
  • 18
  • 26