Add a Load Balance VPN Connection

This article demonstrates how to use VPN trunk in load balance mode. With this feature, we can have two VPN connections destined to the same remote network via different WAN interfaces, and VPN traffic to be balanced across the two tunnels.

1. On the VPN server (Dial-In Site), create an IPsec VPN profile. In GRE Settings, check "Enable IPsec Dial-Out function GRE over IPsec" and enter an IP address for My GRE IP and Peer GRE IP.

a screenshot of DrayOS VPN profile

2. On the VPN server, create another IPsec VPN profile with almost the same configuration, except for the My GRE IP and Peer GRE IP should be different.

a screenshot of DrayOS VPN profile

3. On VPN Client (Dial-Out Site), create an IPsec VPN profile. In GRE Settings, check "Enable IPsec Dial-Out function GRE over IPsec" and enter the VPN Server's "Peer GRE IP" of the first profile Client's My GRE IP, Server's "My GRE IP" at Client's Peer GRE IP.

a screenshot of DrayOS VPN profile

4. Similarly, create another IPsec VPN profile with almost the same configuration, except that My GRE IP should be the "Peer GRE IP" of the Server's second profile, and Peer GRE IP should be the "My GRE IP" of the same profile. 

a screenshot of DrayOS VPN profile

5. After creating 4 IPsec VPN Profile, on the VPN Client, go to VPN and Remote Access >> VPN TRUNK Management >> General Setup.

  1. Give a profile name and enable it
  2. Select the VPN profiles created for VPN load balance as Member1 and Member2
  3. Select Load Balance as Active Mode and click Add
  4. The VPN Trunk settings on VPN client   

a screenshot of DrayOS VPN Trunk General Setup

Now, we can check the VPN status after VPN trunk is established successfully on VPN and Remote Access >> Connection Management page, and we should see both the VPN are up and have traffic.

a screenshot of DrayOS VPN status showing both VPN tunnels are established and have data statistics

Note: The VPN load balance algorithm is round robin by default. Detailed load balance policy, such as weight, source IP, destination IP or destination ports, can be configured by clicking Advanced in VPN TRUNK Management >> Load Balance Profile List.

More options of VPN trunk

 

The Configuration of VPN Server (Dial-In)

1. On VPN Server, create the first IPsec VPN profile. In Basic Tab:

  • Check Enable
  • Select "WAN 1" for Dial-Out Through
  • Input the Local IP/ Subnet Mask as the LAN IP this router
  • Enter the VPN Client's WAN 1 IP at Remote Host IP
  • Input the Remote IP/ Subnet Mask as the LAN IP of VPN Client
  • Select the Auth Type as PSK, and enter the Preshared Key
a screenshot of Vigor3900

2. Go to the GRE Tab:

  • Enable GRE function
  • Set Local GRE IP as, for example, 1.1.1.70 (this should be the Remote GRE IP on VPN Client)
  • Set the Remote GRE IP as, for example, 1.1.1.194 (this should be the Local GRE IP on VPN Client)
     
a screenshot of Vigor3900

3. Similarly, create another IPsec profile, but select "WAN 2" for Dial-Out Through, and enter VPN Clients' WAN 2 IP at Remote Host IP.

a screenshot of Vigor3900

4. Go to the GRE tab. Enable GRE function. Input a different Local GRE IP, for example, 2.2.2.70, and a different Remote GRE IP, for example, 2.2.2.194. Keep the GRE IP in mind, because the VPN client will need to have the match settings.

The GRE settings of the second profile on VPN Server

5. Go to VPN and Remote Access >> VPN TRUNK Management >> Load Balance Pool to add a new pool:

  • Enter Profile name
  • Select "Load Balance" for Mode
  • Add the two VPN profiles in Interface. (Note: Only the IPsec profiles with GRE function enabled will be listed here)
     

6. Go to VPN and Remote Access >> VPN TRUNK Management >> Load Balance Rule to add a new rule:

  • Check Enable
  • Select "ALL" for Protocol
  • Set Source IP Address and Subnet Mask as the LAN network of this router.
  • Set Destination IP Address and Subnet Mask as the LAN network of the VPN client.
  • For Load Balance Pool, select the profile created in the previous step.
     
A screenshot of Load Balance Pool Setup on VPN server
The Configuration of VPN Client (Dial-Out)

1. On VPN Client, create the first IPsec VPN profile. In Basic Tab:

  • Check Enable
  • Select "WAN 1" for Dial-Out Through
  • Set the Local IP/ Subnet Mask as the LAN IP this router
  • Enter the VPN Server's WAN 1 IP at Remote Host IP
  • Set the Remote IP/ Subnet Mask as the LAN IP of VPN Server
  • Select the Auth Type as PSK, and enter the Preshared Key to match the settings in VPN server's first IPsec profile.
A screenshot of VPN profile

2. Go to the GRE Tab:

  • Enable GRE function
  • Set Local GRE IP to 1.1.1.194
  • Set Remote GRE IP to 1.1.1.70
a screenshot of the VPN settings in GRE tab

3. Create another IPsec VPN profile to the VPN server's same network, but select WAN 2 for Dial-Out Through, and enter VPN Servers' WAN 2 IP at Remote Host. The Preshared Key should match the settings in VPN server's second IPsec profile.

a screenshot of VPN configuration of Vigor3900

4. Go to the GRE tab. Enable GRE function. Input 2.2.2.194 for Local GRE IP and 2.2.2.70 for Remote GRE IP.

a screenshot of GRE Setting in a VPN profile

5. Similarly, go to VPN and Remote Access >> VPN TRUNK Management >> Load Balance Pool to add a new pool for the 2 IPsec VPN profiles.

a screenshot of Load Balance Pool of Vigor3900

6. Similarly, go to Load Balance Rule and create a rule for the Load Balance Pool created.

a screenshot of VPN Load Balance Pool of Vigor3900

7. After finishing the settings, two IPsec VPN tunnels should be online at the same time. We can see the status of 2 VPNs on Connection Management page.

a screenshot of VPN management page showing 2 online VPNs and both have data transmitting

Published On: Aug 10, 2016 

Was this helpful?     


Related Articles