Will "duplicated" IPsec tunnel work as failover ?
-
I have a multi-WAN question for you. Maybe someone has worked on such setup like this or maybe my idea is die on the vine.
I have two locations, both have two WAN connections.Is it possible to create two IPsec tunnels this way?
IPSEC connection 1
WAN 1 location A --------- IPSEC ------------ WAN 1 location B
P2 10.10.10.0/24 ---------------------------- P2 192.168.168.0/24IPSEC connection 2
WAN 2 location A --------- IPSEC ------------ WAN 2 location B
P2 10.10.10.0/24 ---------------------------- P2 192.168.168.0/24Does anyone have experience of such organized connections ?
if so what will happen in case of loss of e.g. WAN 1 connection ? Will second tunnel work as a failover in this case ? Will such a configuration in pfsense work OOTB?I saw that some of you are using Routed VTI and BGP, but I am trying to avoid additional complexicity.
I will be grateful for your answers.
-
You cannot have the same P2 source+destination combinations on more than one tunnel. Only the first one loaded will work. You cannot do failover that way.
You have two choices:
1: Setup Dynamic DNS on the remote set to use a gateway group, have the tunnel use the same group, and then use the hostname as the remote address. When the remote experiences a failure it will update its hostname in DNS and then the other end will follow it. This works, but can be extremely slow since it relies on DNS (e.g. 5-10 minutes to failover)
2: Nail up two VTI tunnels, one for each WAN, and setup BGP to handle the routing and failover.
-
Nail up two VTI tunnels, one for each WAN, and setup BGP
Man that would be a killer howto/config guide example. What's the failover time like for a setup like that? Is it a few seconds, a minute..?
edit: I found what looks like a pretty decent guide (not authored by Netgate, however)
-
@jimp Thank you for your clarification. You saved me time on testing this. I guess I have to try a more difficult way.
@luckman212 I found the same tutorial, it looks like it describes pretty much the steps we need to go through to set up dual-wan.