Multiple PepVPN Profiles - License Question


I’d like to have our MAX devices set up on two different PepVPN profiles one as primary one as backup to a different location as a failover.

Do I need the Speedfusion license for this? Is it a broad license enabling multiple capabilities or is there a specific license I need only for multiple PepVPN profiles?

Under what condition does the MAX device decide to failover to the second PepVPN profile? If the primary becomes available again will it switch back?

If there’s documentation that explains all of this as well I’d really appreciate anyone who can point me to it. Thank you!

Good news. All MAX devices support at least two active VPN tunnels for exactly this purpose.

No. On some devices you can buy additional licenses to take you from 2 to 5 or 10 active VPNs and sometimes higher. The bigger balance devices can do thousands of concurrent VPN connections.

Its not failover, its active active and you would use a routing protocol to do the failover bit. OSPF is the default. You set a higher cost to the backup tunnel so data does not flow in that direction until the primary is unavailable.

You can also use the priority outbound policy to decide which order specific traffic should use the VPN tunnels in. In that case traffic itself will failover between tunnels when the highest priority tunnel fails completely.

None that I know of, but if you post more detail her we’re help you work out the right config for your situation.

1 Like

Hi Martin,

Thank you so much for the replies they really helped. To clarify, I’m referring to the SpeedFusion Hot Failover which is specifically mentioned as a premium add-on. After your explanation and reading it again it does sound like active/active.

I’d like our inventory of MAX BR1 and MAX BR1 Minis to connect over two profiles to two different Balance devices. This is possible by default? Would like to confirm as it contradicts the info provided by Peplink at

Appreciate your help!

No worries there - both of these models support 2 active PepVPN profiles at the same time - all Peplink routers do.

It doesn’t contradict that page.
Speedfusion (Hot failover and Bonding) is an add on in that it is enhanced VPN capability, but the hot failover element it is referring to is how traffic is sent over WAN links at a packet level, not how traffic can be routed between datacenters at a VPN tunnel level.

That diagram shows this:

What it is saying is (from bottom to top):

  1. All Peplink devices that support VPN (which is just about everything pretty much) support PepVPN. This is an easy to configure, point to point VPN technology - session based, that only uses a single WAN link at any one time (and can cold failover between wan links on a priority basis - but the failover would cause sessions to drop).

  2. Speedfusion Hot failover is a premium feature enhancement to PepVPN, and because it can split sessions up over multiple WAN links at the same time it is a Speedfusion feature rather than a PepVPN feature (we talk about Speedfusion whenever we are using VPN with multiple links at a packet level).
    Many devices now support Speedfusion Hot Failover. In fact if you have a Peplink device that can have multiple WAN links active at the same time then I think it will always support Speedfusion hot failover now by default.
    The big thing here is that although you can seamlessly fail sessions over from one WAN to another at a packet level, hot failover can only ever actively use one of those WAN links at any one time to transmit data.

  3. Speedfusion Bonding is all the above capability but with the ability to send VPN traffic over multiple WAN links at the same time, distributing a session across more than one link at a packet level.

Now the BR1 Mini is an outlier when it comes to licensing as it was designed to be a commercial answer to the need for a very cost effective device for cellular routing only (think the worlds best MiFi or high volume industrial router for vending machines).

Out of the box then the wired WAN and Wifi WAN does not work on a BR1 Mini - just the cellular WAN. As a single WAN device, Hot Failover is not supported but it can still build 2 x PepVPN tunnels to two different datacenters.

You can buy a license for the BR1 Mini (MAX-BR1-MINI-LC-FS) which gives you:
Failover software license and related feature set for BR1 MINI and BR1 ESN
Enables Load Balancing, WAN Smoothing, PepVPN hot failover, Ethernet and Wi-Fi WAN

The rest of the BR1 family comes with all WANs enabled by default which means they also support SpeedFusion Hot Failover by default.

Your original question - about how to get a remote device to failover between datacenters is more of a routing question. ie when a single remote device is connected to two datacenters at the same time which way should traffic flow and how should traffic flow back?

This can sometimes be as easy as setting a higher OSPF cost metric on the backup VPN tunnel. Other times we might need to use BGP, or an availability based approach to failover.


@MartinLangmaid Thank you for the detailed explanations! This is perfect and exactly what I was looking for. Very much appreciate your help!

1 Like