Add a Load Balance VPN Connection

This article demonstrates how to use VPN trunk in load balance mode. With this feature, we can have two VPN connections destined to the same remote network via different WAN interfaces, and VPN traffic to be balanced across the two tunnels.

DrayOS Linux

Before setting up the tunnel, please make sure PPTP and IPsec service is enabled in VPN and Remote Access >> Remote Access Control.

1. On the VPN server (Dial-In Site), create an IPsec VPN profile. In GRE Settings, check "Enable IPsec Dial-Out function GRE over IPsec" and enter an IP address for My GRE IP and Peer GRE IP.

a screenshot of DrayOS VPN profile

2. On the VPN server, create another IPsec VPN profile with almost the same configuration, except for the My GRE IP and Peer GRE IP should be different.

3. On VPN Client (Dial-Out Site), create an IPsec VPN profile. In GRE Settings, check "Enable IPsec Dial-Out function GRE over IPsec" and enter the VPN Server's "Peer GRE IP" of the first profile Client's My GRE IP, Server's "My GRE IP" at Client's Peer GRE IP.

a screenshot of DrayOS VPN profile

4. Similarly, create another IPsec VPN profile with almost the same configuration, except that My GRE IP should be the "Peer GRE IP" of the Server's second profile, and Peer GRE IP should be the "My GRE IP" of the same profile.　

a screenshot of DrayOS VPN profile

5. After creating 4 IPsec VPN Profile, on the VPN Client, go to VPN and Remote Access >> VPN TRUNK Management >> General Setup.

Give a profile name and enable it
Select the VPN profiles created for VPN load balance as Member1 and Member2
Select Load Balance as Active Mode and click Add
The VPN Trunk settings on VPN client

a screenshot of DrayOS VPN Trunk General Setup

Now, we can check the VPN status after VPN trunk is established successfully on VPN and Remote Access >> Connection Management page, and we should see both the VPN are up and have traffic.

a screenshot of DrayOS VPN status showing both VPN tunnels are established and have data statistics

Note: The VPN load balance algorithm is round robin by default. Detailed load balance policy, such as weight, source IP, destination IP or destination ports, can be configured by clicking Advanced in VPN TRUNK Management >> Load Balance Profile List.

More options of VPN trunk

The Configuration of VPN Server (Dial-In)

1. On VPN Server, create the first IPsec VPN profile. In Basic Tab:

Check Enable
Select "WAN 1" for Dial-Out Through
Input the Local IP/ Subnet Mask as the LAN IP this router
Enter the VPN Client's WAN 1 IP at Remote Host IP
Input the Remote IP/ Subnet Mask as the LAN IP of VPN Client
Select the Auth Type as PSK, and enter the Pre-shared Key

2. Go to the GRE Tab:

Enable GRE function
Set Local GRE IP as, for example, 1.1.1.70 (this should be the Remote GRE IP on VPN Client)
Set the Remote GRE IP as, for example, 1.1.1.194 (this should be the Local GRE IP on VPN Client)
Disable Auto Generate GRE Key option

3. Similarly, create another IPsec profile, but select "WAN 2" for Dial-Out Through, and enter VPN Clients' WAN 2 IP at Remote Host IP.

4. Go to the GRE tab. Enable GRE function. Input a different Local GRE IP, for example, 2.2.2.70, and a different Remote GRE IP, for example, 2.2.2.194. Keep the GRE IP in mind, because the VPN client will need to have the match settings.

5. Go to VPN and Remote Access >> VPN TRUNK Management >> Load Balance Pool to add a new pool:

Enter Profile name

Select "Load Balance" for Mode

Add the two VPN profiles in Interfacee. (Note: Only the IPsec profiles with GRE function enabled will be listed here)
　

6. Go to VPN and Remote Access >> VPN TRUNK Management >> Load Balance Rule to add a new rule:

Check Enable

Select "ALL" for Protocol

Set Source IP Address and Subnet Mask as the LAN network of this router.

Set Destination IP Address and Subnet Mask as the LAN network of the VPN client.

For Load Balance Pool, select the profile created in the previous step.
　

The Configuration of VPN Client (Dial-Out)

1. On VPN Client, create the first IPsec VPN profile. In Basic Tab:

Check Enable

Select "WAN 1" for Dial-Out Through

Set the Local IP/ Subnet Mask as the LAN IP this router

Enter the VPN Server's WAN 1 IP at Remote Host IP

Set the Remote IP/ Subnet Mask as the LAN IP of VPN Server

Select the Auth Type as PSK, and enter the Pre-shared Key to match the settings in VPN server's first IPsec profile.

2. Go to the GRE Tab:

Enable GRE function

Set Local GRE IP to 1.1.1.194

Set Remote GRE IP to 1.1.1.70

Disable Auto Generate GRE Key option

3. Create another IPsec VPN profile to the VPN server's same network, but select WAN 2 for Dial-Out Through, and enter VPN Servers' WAN 2 IP at Remote Host. The Pre-shared Key should match the settings in VPN server's second IPsec profile.

4. Go to the GRE tab. Enable GRE function. Input 2.2.2.194 for Local GRE IP and 2.2.2.70 for Remote GRE IP.

5. Similarly, go to VPN and Remote Access >> VPN TRUNK Management >> Load Balance Pool to add a new pool for the 2 IPsec VPN profiles.

6. Similarly, go to Load Balance Rule and create a rule for the Load Balance Pool created.

7. After finishing the settings, two IPsec VPN tunnels should be online at the same time. We can see the status of 2 VPNs on Connection Management page.

Note: The Auto Generate GRE Key option works only between Vigor3900/Vigor2960 routers. When creating a GRE over IPsec VPN to other Vigor Routers, please remember to disable the Auto Generate GRE Key option on Vigor3900, otherwise, the traffic will not pass over the VPN tunnel correctly.

Published On: 2016-08-10

Was this helpful?

Related Articles

Related Article

Overview of Two Factor Authentication (2FA) on Vigor VPN solutions

Load Balancing and Failover for multi-WAN Vigor Routers

Assign a fixed IP address for the remote VPN peer router

Add a Load Balance VPN Connection

The Configuration of VPN Server (Dial-In)

The Configuration of VPN Client (Dial-Out)

Related Articles

Related Article

Products

Resources

About