Allow separate Uplink Monitoring Actions when having multiple Uplink Interfaces
When designing fully-meshed VPN network constellations it can be desirable to have multiple uplink interfaces per satellite for load balancing purposes. Each uplink would then have distinct connections to other sites.
If one of the uplinks fails, however, tunnels need to fail over to the available interface. For reliability, customers often choose between multiple ISPs for their two uplinks, so the interfaces don't share IP address ranges. In a failover scenario, separate tunnel configurations must be activated in case of interface unavailability.
Uplink Monitoring, as of today, only allows a single set of actions to define globally. In the scenario outlined above, there's a necessity for having separate rules per uplink interface.
Interface A connects Tunnel A to Remote A
Interface B connects Tunnel B to Remote B
In case Interface A fails, Tunnel A needs to be disabled and Tunnel A' needs to be activated on Interface B to Remote A (different local IP).
In case Interface B fails, Tunnel B needs to be disabled and Tunnel B' needs to be activated on interface A to Remote B (different local IP).
Bob Alfson commented
If I understand your suggestion correctly, this already is possible. With two WAN connections for two Astaros, configure 'Uplink Balancing' in both. In each 'IPsec Connection', use "Uplink Interfaces" instead of a specific interface. In each, prioritize the use of one interface with a 'Multipath' rule binding IPsec traffic to it. In each 'Remote Gateway', instead of a 'Host' definition for the 'Gateway', use an 'Availability Group' with the prioritized IP of the other site first, and the other IP second.
Cheers - Bob
PS It always pays to visit the User BB to see if something is doable: http://www.astaro.org