I have two sites:

Site "I" is the IPSec initiator.  It is an ER7206 controlled through a local software controller.  Locally it uses the 192.168.100.0/24 subnet.

Site "R" is the IPSec Responder.  It is a Fortingate 60D  (willing to replace it with a ER7206 if that solves the problem). Locally it uses the 192.168.1.0/24 subnet.

 

Site "I" has two WANs

Ethernet Wan1: Comcast Cable Modem

Ethernet Wan2/Lan: AT&T 5G modem (currently jerryrigged but to eventually either get a Nighthwak m6 or an AT&T "internet air" device) 

 

Site "R" currently has one WAN

Ethernet Wan1: Comcast Cable Modem

Note: I eventually plan to get an internet air device for this location as well, but trying to avoid adding that complication to the question

 

Normally, the following works fine

Site "I" VPN Policy over Comcast WAN connects via IPec v1 Tunnel to Site "R" VPN Policy over Comcast Wan

 

I have failover internet seeming to work (or at least I got it to work once) at Site "I" failing over from Comcast to AT&T.

 

However, I need to go through a manual process to get the VPN to work after the failover.

 

If I create new VPN policies at both site "R" and site "I" and set site "R" backup VPN policy's remote IP address to site "i" AT&T address, and, upon a failover, I manually do the following, I can make it work. 

- site site "R" regular VPN policy's remote subnet to something random

- site site "R" backup VPN policy's remote subnet to 192.168.1.0/24

 

I am looking to an alternative to this manual process.

- I've read on tp-link's site about some type of VPN failover concept but I cant find the same buttons.  Maybe it doesn't work on the software controller?  Would that fix the problem?

- Omada doesn't allow two VPN policies to have the same remote subnet.  Is there a way to override this?

- Is there a way to turn a VPN policy off without deleting it?  Concept would be to turn it off so I could then use the same subnet on a backup policy where the manual process would at least be a bit quicker

- Is there some workaround messing with the subnets on the responder side? I may not be skilled enough to implement that however.  When I tried just not putting in the correct remote subnet on site "I"'s policy, i wasn't able to communicate with the resources I needed at site "R".

- Any other ideas.

 

Eventually I also need to implement some sort of dynamic dns for the AT&T modem so I don't need to modify site R everytime there is a failover.

 

Thanks!