Migration to peplink Balance device

BensonLEI · September 29, 2019, 8:10pm

Hi, Peplink guy,

Our existing firewalls have site-to-site VPN setting.

When a peplink B-380 is set up between the firewall and the ISP router; the site-to-site VPN does not come up again once the WAN links had been down.

Due to we can not set up the PepVPN/SpeedFusion at the same…we have to use the site-to-site VPN for some time until Peplink devices set up in all sites.

Any solution ?

mldowling · September 30, 2019, 2:25pm

Hello @BensonLEI,
Do you have a high-level network topology of how have your network wired and the site to site VPN.
Things of interest are:

ISP Modems:
Firewalls
Routers
Number of sites and how they connection (Point to Point topology, Star topology, Mesh topology)

I may not be the one to answer this for you, though this information will help others in the forum to assist you.
Happy to Help,
Marcus

MartinLangmaid · September 30, 2019, 3:05pm

So it comes up at the start, but if the WAN links fail and recover later the IPSEC site to site VPN fails to reconnect?

You might need to find a quiet moment to test this - recreate the issue then grab a diagnostic file and log a ticket with Peplink engineering so they can work out the cause.

Or you could look at a staged migration with the B380 sat beside your existing firewall. Have a look at the Pluss technical deep dive document for an example of that approach.

BensonLEI · October 1, 2019, 7:15pm

Hi, Martin,
I may find the issue as below:
When I shut down the first ISP link, the Peplink traces the available ISP links for outgoing traffic; while I re-plug the first ISP link, the peplink is still keeping checking the available ISP links in turn, not fallback on the first ISP link, that causes the IPsec tunnel can not be re-formed, any way to configure if the first ISP link is pre-empt or default outgoing link, thx ?

MartinLangmaid · October 2, 2019, 3:31pm

Sounds like you need to enabled the Terminate Sessions on link recovery option in your outbound policy:

BensonLEI · October 2, 2019, 5:51pm

Hi, Martin,

You are correct, the existing tunnel (for example, siteA-to-SiteB IPsecVPN ) is not interrupted during WAN link interruption for outgoing traffic, how about the incoming traffic, seems SiteB can not initial traffic to SiteA ?

Thx

Thanks a lot

MartinLangmaid · October 3, 2019, 2:11am

Are we still talking about the other firewalls IPSEC traffic here? If so then I expect that when WAN 1 fails on the ‘hub’ device the remote site that is creating the IPSEC does not have a config that lets it then try the public IP of WAN2 on the hub.

If it was me, I’d use speedfusion VPN between the two balance routers, then turn off the 3rd party IPSEC routing entirely and just use L3 routing over Speedfusion, or if you can’t do that for compliance reasons, send IPSEC VPN over the SpeedFusion VPN.

That way no matter what happens to the WAN links at either site the site to site VPN will stay up.