We’re trying to setup IPSEC communication between a pritunl server in Azure and our local on prem servers (using a Watchguard box)
What would be some recommended options ? It seems the pritunl server cannot act as a pritunl link host so shoud we install another VPN software (like strongswan) on the pritunl server to manage the S2S connexion ?
Thanks
PS : we tried using the Azure VPN Gateway but couldn’t get the routing to work so we thought using a direct IPSEC connection would be simpler and less expensive
The pritunl-link package provides the link client. It can use either IPsec from Strongswan or Wireguard if wireguard-tools is also installed. More information is available in the link documentation.
Sure, but the doc specifically states " The pritunl-link client cannot run on a Pritunl server and the Pritunl server will not function as a link host. All hosts must be defined in the link configuration."
Does that mean that we need another server only to run the pritunl client ?
In this case, a high availabilty config would need 4 servers, 2 pritunl servers and 2 pritunl links ?
To have a high availability site-to-site link both sides need to run the Pritunl link client. It can’t be static hosts using other IPsec clients. There would need to be a replica set of 3 MongoDB servers, 2 Pritunl servers and 2 Pritunl link clients at each site.
wouldn’t it be possible to have 2 separate couples of pritunl server/link, connected to a static host ? They would be configured with 2 different VPN ip ranges. The pritunl VPN client would choose one pritunl server at random, so it would be HA as well ?
There can’t be two hosts creating a site-to-site link between 2 networks at the same time. Pritunl link requires the subnets get added to the routing table it isn’t just for providing VPN clients access.
I think if it’s used in WireGuard mode it’s less likely to create a conflict. But there are configurations where issues will occur. I don’t know all of the configurations that will cause issues or test for it.