Re: RV340 to AWS Site-to-Site VPN with Dual IPSec Tunnels

taj1 · ‎10-17-2019

Hello,

AWS Site-to-Site VPNs typically provide two separate IPSec tunnels for redundancy (see diagram https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html). Typically, an office router will be configured to connect to _both_ of these tunnels to prevent downtime in the event that 1 tunnel drops.

I was wondering if anyone had successfully configured an RV340 to use this dual-tunnel configuration with an AWS Site-to-Site VPN? I have tried:

* Configuring 2 Site-to-Site VPNs on the RV340, with the same Local/Remote Group that select traffic from the office router -> AWS VPC. When both VPNs are activated, traffic stops flowing.

* Configured 2 Site-to-Site VPNs using the "Inside IP Addresses" from AWS as the Local/Remote Group (169.254.x.x), and adding a Static Route to direct traffic at the tunnel. Traffic does not seem to be routed properly.

Does anyone have notes on how they have successfully configured an AWS Site-to-Site VPN using both tunnels with an RV340?

Thank you!

oatroshc · ‎04-09-2021

Hello Taj1,

This is Oleksiy from Cisco Small Business Case Management Team. Indeed, there is a recommendation from Amazon to have 2 tunnels to AWS to achieve redundancy. RV34x family currently is able to use 1 active tunnel at a time. To be totally precise, it is even capable to use even 2 active tunnels, but by design, there is no routing mechanism like 'ip sla', for instance, Cisco Enterprise family units have, which will properly route the packets to AWS Cloud once 1st or 2nd tunnel goes down.

Again, even though this is just an AWS recommendation, but not a 'must have' requirement, recently the new Enhancement request "CSCvx94557: “Enh urgent: RV34x needs 2 active AWS tunnels with the ability to failover (like IP SLA on ASA)" was opened. I would suggest you to monitor its status using the Bug Search Tool page.

I am hoping, you can find this helpful.

Oleksiy.