pfSense Support Subscription

Author Topic: IPsec multi-wan failover  (Read 19052 times)

0 Members and 1 Guest are viewing this topic.

Offline enriluis

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #30 on: September 12, 2017, 01:01:04 pm »
Not yet. That's really all there is to it though.

Setup DynDNS, set to use a failover gateway group.
Setup IPsec to use the same failover gateway group.
Set the other end to use the dyndns host as the peer address.
Sorry but i don't have DynDNS access to make the setup because both firewall are in my internal network(no internet access), so exist  another way to work ipsec  over multi-wan failover
sorry about my English

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 20796
  • Karma: +1311/-24
    • View Profile
Re: IPsec multi-wan failover
« Reply #31 on: September 12, 2017, 01:10:35 pm »
No, Dynamic DNS is the only viable way at the moment.

Use an internal dynamic DNS server then. Setup BIND somewhere with an RFC2136 dynamic zone and have the other firewall use it to resolve hosts for a private domain.

That's all out of scope for this thread/board though.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline enriluis

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: IPsec multi-wan failover
« Reply #32 on: September 13, 2017, 12:40:21 pm »
another question... can i use gateway group in the local endpoint??? because it are show in  my interface list
No, Dynamic DNS is the only viable way at the moment.

Use an internal dynamic DNS server then. Setup BIND somewhere with an RFC2136 dynamic zone and have the other firewall use it to resolve hosts for a private domain.

That's all out of scope for this thread/board though.

i was think make that but unknown  how to, i'm using windows server 2012 as internal DNS Server ...  is possible make over it?? or another possible solution found here  http://arkanis.de/weblog/2015-11-27-build-your-own-dyndns   correct me please thank

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 20796
  • Karma: +1311/-24
    • View Profile
Re: IPsec multi-wan failover
« Reply #33 on: September 14, 2017, 01:39:40 pm »
If it's an internal DNS server on one side or the other, then you'd have to expose that to the Internet which probably isn't what you want. It's best to have it be a server with a dedicated static address if possible. If it's all internal you end up in a catch 22/chicken-egg scenario. To reach the DNS server you need the VPN, but without the VPN, you can't reach the DNS server.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!