This article describes how to create 2 vpn tunnels with a backup vpn peer.
When the Primary VPN peer is unreachable, the backup peer will take over the connection.
When the Primary VPN peer comes back, the connection fails back to it using BGP.

We will use Routed VPN and BGP will distribute the routes over the tunnel interfaces.

Primary Local VPN Peer IPPrimary Local VPN tunnel ipPrimary Local vNet subnetPrimary Remote VPN Peer IP Primary Remote VPN tunnel IPPrimary Remote vNet subnet
185.105.202.41172.30.30.2172.16.1.0/24188.126.112.105172.30.30.1192.168.5.0/24


Backup Local VPN Peer IPBackup Local VPN tunnel ipBackup Local vNet subnetBackup Remote VPN Peer IPBackup Remote VPN tunnel IPBackup Remote vNet subnet
185.105.202.42172.30.31.2172.16.1.0/24188.126.114.214172.30.31.1192.168.5.0/24




Tested this  between  2 vCloud tenants, started a ping between vms

Both tunnels where up.
Checked the routing table on the Edge via ssh

BGP is learning the following route 

vse-279442fe-571c-47c7-a74e-e003c86b1e1a-0> show ip route bgp

Codes: O - OSPF derived, i - IS-IS derived, B - BGP derived,
C - connected, S - static, L1 - IS-IS level-1, L2 - IS-IS level-2,
IA - OSPF inter area, E1 - OSPF external type 1, E2 - OSPF external type 2,
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

B       192.168.5.0/24       [20/0]        via 172.30.30.1

Disabled the primary VPN tunnel, to force it down. After 60 seconds the route changed to:

BGP is learning the following route 

vse-279442fe-571c-47c7-a74e-e003c86b1e1a-0> show ip route bgp

Codes: O - OSPF derived, i - IS-IS derived, B - BGP derived,
C - connected, S - static, L1 - IS-IS level-1, L2 - IS-IS level-2,
IA - OSPF inter area, E1 - OSPF external type 1, E2 - OSPF external type 2,
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

B       192.168.5.0/24       [20/0]        via 172.30.31.1


And the ping gave replies again.


Re-enabling the Primary tunnel, changed the route back to:

vse-279442fe-571c-47c7-a74e-e003c86b1e1a-0> show ip route bgp

Codes: O - OSPF derived, i - IS-IS derived, B - BGP derived,
C - connected, S - static, L1 - IS-IS level-1, L2 - IS-IS level-2,
IA - OSPF inter area, E1 - OSPF external type 1, E2 - OSPF external type 2,
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

B       192.168.5.0/24       [20/0]        via 172.30.30.1

There where no pings lost



  1. VPN Configuration Primary :

    Make sure to enter 0.0.0.0/0 as the Local and Remote subnet.
    The tunnel traffic will be routed by BGP




    Make sure to select Route Based and enter a tunnel interface ip and MTU size




  2. VPN Configuration BACKUP
    Make sure to enter 0.0.0.0/0 as the Local and Remote subnet.
    The tunnel traffic will be routed by BGP



    Make sure to select Route Based and enter a tunnel interface ip in a different subnet as the Primary on and MTU size



  3. BGP Configuration PRIMARY:
    Configure BGP, go to Routing => Routing Configuration
    Select a Router ID



  4. Goto Routing => BGP
    Enable the following and choose a local AS


  5. Click on Neigbors on the + to add 



  6. Enter the tunnel ip of the remote site
    Enter the Remote AS

    Make sure the Weight is higher than the BACKUP BGP site, default is 60.


  7. BGP Configuration BACKUP
  8. Configure BGP, go to Routing => Routing Configuration
    Select a Router ID



  9. Goto Routing => BGP
    Enable the following and choose a local AS
  10. Enter the tunnel ip of the remote site
    Enter the Remote AS

    Make sure the Weight is lower than the PRIMARY BGP site, default is 60.



  11. Configure Route Redistribution for Primary VPN 
    Goto Routing => Route Redistribution 
    Enable BGP Status


  12. Click on + under Route Prefix


  13. Enter a Name for the IP Prefix and enter the Primary vNet subnet


  14. Click on + under Route Redistribution Table


  15. Choose the Prefix from the previous step and choose 
    Learner Protocol BGP
    Allow Learning from Connected
    Action Permit