pfSense Support Subscription

Author Topic: IPsec multi-wan failover  (Read 20435 times)

0 Members and 1 Guest are viewing this topic.

Offline kapara

  • Hero Member
  • *****
  • Posts: 934
  • Karma: +15/-0
    • View Profile
IPsec multi-wan failover
« on: February 11, 2013, 01:23:53 pm »
Has anyone had any experience configuring this?  It is listed as an option:  http://doc.pfsense.org/index.php/2.1_New_Features_and_Changes

I have 2 offices with Multi-Wan failover due to problematic internet connections and both locations have IPSEC tunnels going back to the hub(Office) location and need the VPN tunnel to be able to stay up if the WAN fails over.

Any tutorials???

Each location has only one pfsense box.  Not Carp
« Last Edit: February 11, 2013, 01:26:20 pm by kapara »
Skype ID:  Marinhd

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: IPsec multi-wan failover
« Reply #1 on: February 12, 2013, 08:00:47 am »
It should work fine though for pfSense to pfSense you need both the IPsec tunnel set to a failover gateway group and a DynDNS entry set to the same failover gateway group, and then use that dyndns host as the remote peer address for the other side.

Then when WAN1 fails to WAN2, the dyndns IP changes, so the far side knows to accept the new peer, and that's where IPsec will start connecting from.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline kapara

  • Hero Member
  • *****
  • Posts: 934
  • Karma: +15/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #2 on: February 13, 2013, 10:34:27 am »
Are there any tutorials for this process?  I have not been able to find one...
Skype ID:  Marinhd

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: IPsec multi-wan failover
« Reply #3 on: February 13, 2013, 10:47:19 am »
Not yet. That's really all there is to it though.

Setup DynDNS, set to use a failover gateway group.
Setup IPsec to use the same failover gateway group.
Set the other end to use the dyndns host as the peer address.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline kapara

  • Hero Member
  • *****
  • Posts: 934
  • Karma: +15/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #4 on: February 13, 2013, 12:58:47 pm »
but DynDns uses a name and the gateways require IP addresses so I am not following you.
Skype ID:  Marinhd

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: IPsec multi-wan failover
« Reply #5 on: February 13, 2013, 01:12:09 pm »
IPsec peers can be hostnames.

The identifier is left as "My IP Address" and "Peer IP Address". The remote gateway for IPsec is the dyndns hostname.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1000
  • Karma: +5/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #6 on: February 13, 2013, 04:11:15 pm »
jim, what were the changes in 2.1 that facilitated this new IPsec multi-wan failover feature ?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: IPsec multi-wan failover
« Reply #7 on: February 13, 2013, 04:13:05 pm »
I'd have to dig through the code, I don't recall, it's been several months. databeestje originally did the work.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline flojose

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #8 on: April 25, 2013, 10:37:38 am »
Hi.

I have setup this with 2 pfsense 2 dedicated static IP WAN.

Results are not what I expect:
Wen WAN1 goes down on Local PFsense:
Dyn update failovergroup.
Firewall rules using  failover group as wan acts correctly.
IPSec tunnel does not UP. Logs show that is trying to use WAN1 IP adress to stablish tunel. Remote pfsense does not permit connections from that peer.


Remote PFSense:
IPSec tunnel goes down after timeout, as Dyn hostname has been updated, IPSec tries to stablish tunnel to new IP Address, Remote PFsense does not respond.
IPSec logs shows a unknown peer trying to stablish a connection to local ipsec port.


Solution:
I have to restart racoon service on Local PFSense for racoon start using WAN2 IP.



Same results if WAN1 goes down on Remote PFSense.

Is there a way to add than when routing changes due multiwan failover, a service(s) can be restarted?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: IPsec multi-wan failover
« Reply #9 on: April 25, 2013, 11:47:52 am »
Try the patch from this ticket:
http://redmine.pfsense.org/issues/2896
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline flojose

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #10 on: April 25, 2013, 08:43:17 pm »
Thank you so much.

I will try it.

Offline nnogales

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #11 on: August 01, 2013, 06:28:59 am »
I have the same issue but I don't know how to apply the path

Offline Briantist

  • Full Member
  • ***
  • Posts: 221
  • Karma: +1/-0
  • p-p-p-purple!
    • View Profile
    • briantist.com
Re: IPsec multi-wan failover
« Reply #12 on: November 18, 2013, 10:07:39 am »
Did anyone ever do do this successfully?

Also, has anyone successfully done multi-wan failover with a sonicwall?

I also do not know how to apply the patch mentioned except to manually make the changes which doesn't seem like the best idea.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: IPsec multi-wan failover
« Reply #13 on: November 18, 2013, 10:21:22 am »
The patch is no longer needed. There is a checkbox to activate the behavior on 2.1 (System > Advanced, Misc tab, under IP Security)
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline Briantist

  • Full Member
  • ***
  • Posts: 221
  • Karma: +1/-0
  • p-p-p-purple!
    • View Profile
    • briantist.com
Re: IPsec multi-wan failover
« Reply #14 on: November 18, 2013, 10:26:44 am »
Ah, got it. So I guess there's no way to use mutiple gateways for the remote side except to use Dynamic DNS?