Description:
The document describes how VPN connections from multiple branch offices can be accepted at the main office with redundant equipment.


Requirements:


Scenario:
Multiple branch offices (e.g. with LANCOM 178x) are to be distributed between 2 VPN gateways with redundant equipment (e.g. LANCOM 8011).
For example, a total of 10 VPN tunnels should be distributed between 2 LANCOM 9100+ (5 tunnels each). Furthermore, a backup in case of any failure of the hardware or Internet connection should be available.
This scenario can be implemented with the use of VRRP (Virtual Router Redundancy Protocol) and RIP (Routing Information Protocol).


Normal operation:


Backup event:


Procedure:
1) On both LANCOMs at the main office, all VPN connections have to be set up accordingly. For the VPN configuration at the branch offices, enter the VPN gateway that should be contacted in normal operation (VPN → General → VPN connection list). The alternative VPN gateway is entered for the appropriate VPN connection in VPN → General → Further remote gateways.
2) At the main office, VRRP is configured on the two LANCOM devices. (IP router → VRRP) – two virtual routers.
There, you first set a checkmark on VRRP activate and Propose internal services on the virtual IPs.
3) Now click on the the button VRRP list and create the required VRRP routers. The IP addresses 192.168.1.100 and 192.168.1.200 entered here are to be replaced with free IP addresses in your network.
Please note that, for the second LANCOM router, the entries for main priority must be reversed. 
4) In order to enable the VRRP routers to use RIP to communicate with one another, navigate to Routing protocols → RIP → RIP networks..., select the network in use and set the option RIP type to RIP-2.
5) In order to enable communication by RIP, the routing table in each of the two LANCOMs must be configured with the routes to the branch-office devices. In this example, the first VRRP router in normal operation handles the route to Office 1 and the second router handles the connection to Office 2. Configure the routing rules as they are shown in the figures below:

Routing rule for Office 1:

Routing rule for Office 2:
The routing table must then contain the following entries:

As the last change, you must define one of the two virtual routers created as the default gateway for IP addressing on the DHCP server of your network. However, it is recommended to configure the two LANCOM routers as a DHCP server for the LAN, since this allows you to distribute both virtual VRRP IP addresses in the LAN and thus also achieve a load distribution in the LAN. The fact that both DHCP servers are on and assign the virtual address as a gateway, which is respectively master, results in a statistical distribution of the clients on one of the two routers.

6. On both devices, enable the DHCP server under IPv4 → DHCPv4 → DHCP networks. To avoid duplication, it is absolutely necessary that you set the check box for DHCP clusters.