@pdava17752453 

maybe this can help you?

https://www.tp-link.com/us/support/faq/3575/

@pdava17752453 AFAIK Omada has only old-fashioned IPSec so no interfaces. It does however support IPSec tunnel groups, where IPSec connections can fail over to a backup tunnel. So if the primary tunnel fails it will connect a fail-over tunnel, and optional fail back to the primary. But it isn't seamless, you wait the DPD time before failover, say 15-20 seconds.

Modern routers support Virtual Tunnel Interfaces (VTI) which effectively enable routing over IPSec rather than just policy. Needless to say, Omada does not support VTI 😭 You might do better to use WireGuard, which Omada supports and is interface based, so you can have prioritized routing tables for backup routes. That means packet-by-packet seamless failover.

  @whereisaaron I was trying to figure out that failover policy page, I suspect it might only be available for managed connections between two TP-Link devices? It just tells me no connections are available for a failover group, and there is no way to add another connection due to the overlap warning, so all I can think of is that feature might be reserved for automatic type connections. 

@pdava17752453 there is supposed to be new firmware coming with SD-VPN easy VPN between sites. However this should work as per this documentation:

https://www.tp-link.com/au/support/faq/3575/

Note that secondary tunnel is in responder mode, as (I think) only changed to initiate during failover.

Wireguard may not be an alternative yet either sorry:
https://community.tp-link.com/en/business/forum/topic/665364

  @whereisaaron I tried giving it one more attempt this morning, the tunnel just refuses to come up when in Responder mode even when I reconfigured the AWS side to be the Initiator. Oh well, not the end of the world but was hopeful I could get it to work. VTIs are really the "right" way to do this.

@pdava17752453 AWS redundancy works differently. You bring up two live connections for different gateways and then use ASNs and BGP routing. Sadly TP-Link doesn't enable BGP on Omada gear up until a Omada Pro L3 switch. Of course if you buy a cheap pfsense router you get BGP support, but a "business" Omada gateway - blocked! The tradeoff for buying in on a proprietary SDN. It's hard to do dynamically without BGP nor VTI. VTIs are great and complex configurations relatively easy. Again, VTI is something a cheap pfsense router will do. And you could put one ahead of your Omada gateway to provide a redundant connection.

  @whereisaaron I'm very familiar with how their redundancy works and know the lack of BGP means you won't be able to have dynamic routing, but I was still expecting to at least get a crypto SA up, which wouldn't happen when putting the TP-Link in responder mode and the AWS side in "Start", which is their equivalent of Initiator mode, which seemed odd. If we just had simple VTI support you'd be fine without BGP because AWS won't send traffic down a tunnel that's not up and the TP-Link would presumably be the same (Routes down an interface that's seen as down wouldn't get put into the FIB).

I've started looking at pfsense devices, I think I may opt for one for both better crypto throughput and the VTI support. This is all just for a home setup, but I still like to be able to play around with the features I want. I originally got the TP-Link gateway so it would integrate with the rest of my Omada stuff (APs/Switch), but the VPN and dynamic routing support is pretty bad, I should have just skipped it and gone with something a little more business-grade (Even though TP-Link ironically calls this stuff business grade).