pfSense Gold Subscription

Author Topic: IPsec multi-wan failover  (Read 20452 times)

0 Members and 1 Guest are viewing this topic.

Offline acriollo

  • Hero Member
  • *****
  • Posts: 665
  • Karma: +32/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #15 on: December 29, 2013, 02:21:13 am »
Flojose, what was the behavior after you appplied the patch code? 

Results as expected ?

Offline sollostech

  • Jr. Member
  • **
  • Posts: 61
  • Karma: +0/-0
    • View Profile
    • Sollos Technology Solutions
Re: IPsec multi-wan failover
« Reply #16 on: February 06, 2014, 04:03:32 pm »
Can this be done if one side of the VPN is not a pfSense? I am going to a Fortigate on Fiber in Atlanta with a pfSense in Michigan with Cable and DSL connections.

Thanks!

Offline luckman212

  • Hero Member
  • *****
  • Posts: 726
  • Karma: +59/-0
    • View Profile
    • @luckman212 - github
Re: IPsec multi-wan failover
« Reply #17 on: May 28, 2014, 06:42:46 pm »
Can this be done if one side of the VPN is not a pfSense? I am going to a Fortigate on Fiber in Atlanta with a pfSense in Michigan with Cable and DSL connections.
Did you ever get an answer on this? I have a similar scenario and before I bang my head against the wall just wanted to know if you got it working.

Offline sollostech

  • Jr. Member
  • **
  • Posts: 61
  • Karma: +0/-0
    • View Profile
    • Sollos Technology Solutions
Re: IPsec multi-wan failover
« Reply #18 on: May 29, 2014, 09:00:11 am »
No unfortunately.

Offline neo_X

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +6/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #19 on: June 18, 2014, 01:38:22 pm »
Hello guys,

I have the pfSense firewall 2.1.3 and need configure ipsec failover with sonicwall. I know that sonicwall have the option for add the second peer in the configuration ipsec vpn, very easy.

Do you configure failover ipsec vpn?


Offline niccarp89

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #20 on: September 01, 2014, 12:44:11 am »
Hi to all, anyone has test it again this with new versions of psense or have experience?

Also knows some dns service as dyndns but free?, i have one side of the ipsec tunel with three internet providers with CARP so having this feature will be amazing.

How i can create the group routing pointing to the group?, i have statics ips on both sides free to use.

Thanks

Offline neo_X

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +6/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #21 on: September 01, 2014, 05:47:09 am »
Hi to all, anyone has test it again this with new versions of psense or have experience?

Also knows some dns service as dyndns but free?, i have one side of the ipsec tunel with three internet providers with CARP so having this feature will be amazing.

How i can create the group routing pointing to the group?, i have statics ips on both sides free to use.

Thanks

Hi,

I can help you with the tests, ok.    Do you have dyndns service like a noip.com ?

Offline mazur50

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #22 on: February 15, 2016, 04:41:49 pm »
I have a watchguard firewall on one end with Muiltiwan when going from watchgaurd to watchguard it works fine.

I now want to connect the Muilti wan watchgaurd over Ipsec VPN to a pfsence box with one wan connection.

What setup needs to be done on the both sides to get this to work so the pfsence knows what remote peer to connect to .


Right now it works when the connection it dropped but it will not drop the connection and failover to the preferred peer.

Thanks

Offline mill

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #23 on: April 05, 2016, 09:13:10 am »
The patch is no longer needed. There is a checkbox to activate the behavior on 2.1 (System > Advanced, Misc tab, under IP Security)

I am sorry, I can not find the checkbox in 2.2.6-RELEASE (amd64), under (System > Advanced, Misc tab, under IP Security), there is:
"These settings have moved to VPN > IPsec on the Advanced Settings tab. "

And in (VPN > IPsec on the Advanced Settings tab.) none of the options seems to be related, there are just these sections:
IPsec Logging Levels
Unique IDs
IP Compression
Strict interface binding
Unencrypted payloads in IKEv1 Main Mode
Maximum MSS
Disable Cisco Extensions
Strict CRL Checking
Make before Break
Auto-exclude LAN address

However in documentation (https://doc.pfsense.org/index.php/Advanced_IPsec_Settings) is mentioned "Force IPsec Reload on Failover".

Or the checkbox disappeared because IPsec multi-wan failover is performed reliably and IPsec restart is not needed anymore?

Thank you

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: IPsec multi-wan failover
« Reply #24 on: April 05, 2016, 09:21:59 am »
pfSense 2.2 and later uses a different IPsec daemon that no longer requires that setting.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline Reinaldo Gomes

  • Newbie
  • *
  • Posts: 21
  • Karma: +1/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #25 on: June 02, 2016, 03:16:19 pm »
Setup DynDNS, set to use a failover gateway group.
Setup IPsec to use the same failover gateway group.

I've done this and the DynDNS works fine, updating the IP as the interfaces go up and down. But the IPSEC config isn't getting updated unless I manually reload it. Did I miss anything?
ps: I'm using this group in a Mobile Ipsec, not site-to-site.
« Last Edit: June 02, 2016, 03:51:50 pm by Reinaldo Gomes »

Offline Reinaldo Gomes

  • Newbie
  • *
  • Posts: 21
  • Karma: +1/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #26 on: June 08, 2016, 10:38:30 am »
I figured out what was wrong.

I was testing this failover feature by "marking the gateway as down", right at the "System -> Routing -> Edit Gateway -> Force State".
This causes the DDNS service to imediatly update your DDNS record, but not the IP in the IPSEC conf file. Now I tested the failover by using the "ifconfig emx down" command, and this time both DDNS (though with some minor delay when compared to the previous option) and IPSEC updated the IP according to the active gateway's IP.

So, IPSEC doesn't update it's active gateway's IP when using the "mark this gateway as down" option. Is this working as intended?

Offline Steven Perreau

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +4/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #27 on: July 03, 2016, 05:11:11 pm »
And, we still have the bug that I posted:

IPSEC bound to WAN gateway group and Dynamic DNS doesn't to fail back tunnel to WAN on DDNS update
https://redmine.pfsense.org/issues/6370


What can I do to get this issue looked at? It still an open bug, but, not confirmed nor assigned for fixing.



Offline st_rupp

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #28 on: July 13, 2016, 05:46:44 am »
Same here.
Got a fast but unstable Vodafone cable Link (primary) and a slow but solid Telekom ADSL (backup).
Last night, the cable link went down and up again several times. Due to the setting "enable default gateway switching" my servers were still reachable via a DynDns, but my site2site Ipsec tunnel (to DR Location) would use the wrong IP even after DynDns being updated.
The tunnel was still shown as active in the morning, but no traffic was passing. Using the Restart button to restart IPSec did NOT solve the Problem, manually stopping and starting IPsec again DOES solve the problem...

Had the same behaviour several times before...

BTW: using latest 2.3.1_5

@Steven Perreau: Did you also post a Bug report on Github?  Is this necessary / useful / recommended? I don't know which platform ist used by the Developers...
« Last Edit: July 13, 2016, 05:51:08 am by st_rupp »

Offline luckman212

  • Hero Member
  • *****
  • Posts: 726
  • Karma: +59/-0
    • View Profile
    • @luckman212 - github
Re: IPsec multi-wan failover
« Reply #29 on: July 13, 2016, 07:11:40 am »
Using the Restart button to restart IPSec did NOT solve the Problem, manually stopping and starting IPsec again DOES solve the problem...
I was working on a dual-WAN system yesterday where one of the links was flapping.  Had the exact same problem. Scratched my head for a while before trying what you did (completely stopping and then afterwards starting the Ipsec service)