1. Features Guide
  2. Release 9.1M1 Features
  3. Support for Multiple IPSec Tunnels
  4. Dual HA Pair Tunnel Support for IPSec

Dual HA Pair Tunnel Support for IPSec

Oracle SD-WAN Edge supports multiple IPSec tunnels for HA pairs. The support includes multiple tunnels to the same remote endpoint IP originating across different source WAN links as well as multiple tunnels originating from the same source WAN link servicing different remote IPs.

The following illustration shows examples of supported tunnels for HA pairs. Only one tunnel of an HA pair can be active at any time. When the Active tunnel stops responding, the Standby tunnel becomes Active. You can configure the primary and secondary tunnels on the same WAN link or on different WAN links.

This illustration shows the connections described in the following text.

  • WAN 1 connects the Group 1 intranet HA pair to Service A in the Public Cloud Services. WAN 1 also connects the Active member of the Group 2 intranet HA pair to Service B in the Public Cloud Services.
  • WAN 2 connects the Standby member of the Group 2 intranet HA pair to Service B in the Public Cloud Services. WAN 2 also connects the Standby member of the Group M internet HA pair to the Remote Endpoint Service N.
  • WAN 3 connects the Active member of the Group M internet HA pair to the Remote Endpoint Service N.
Dual HA Pair IPSec supports
  • a maximum of two tunnels when the type is defined as tunnel group – Dual HA pair.
  • defining the first tunnel in Dual HA Pair as the active tunnel by default.
  • defining the either tunnel in Dual HA pair as the primary. In this scenario, the first tunnel to come up after configuration is the Active one.
  • allowing the Admin user to switch the role of the tunnel to active or standby for any of the Dual HA Pair tunnels.
  • Dual HA Pair tunnels with Internet and Intranet services. For example: Tunnel Group 1 in Dual HA Pair can be in WAN link 1 on Intranet service. Tunnel Group M in a Dual HA pair can be in WAN link 2 and WAN link 3 on internet service. Note: Within the tunnel group, all tunnels are expected on same type of service (Either internet or intranet).
  • Dual HA pair tunnels across Wan links. For example, Tunnel 1 in Dual HA Pair can be from WAN link 1. Tunnel 2 in a Dual HA Pair can be from WAN link 2.
  • Dual HA Pair tunnels connecting to the same endpoint (IPs) for a single remote service. In this scenario, the source must be different WAN Links.
  • Dual HA Pair tunnels connecting to different endpoint (IPs) for a single remote service. In this scenario, the source may be the same or different WAN Links.
  • allowing any tunnel to be disabled and enabled when required.
  • deleting a tunnel from a Dual HA Pair group. When you delete one tunnel, the system sets the other tunnel to active upon your confirmation.