IPSec with dual WAN
-
Hi
I have a site to site to vpn over ipsec between HO and a branch office. Now i have got added one more WAN connection to the branch side pfsense. Dyndns with gateway group is configured and everything works as expected. Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.
On the HO pfsense in ipsec phase-1, remote gateway is configured as the branche's dyndns hostname.
However a failover never happens and IPsec will not automatically connects to the newly updated dyndns hostname IP. If the branch side pfsense is rebooted, connection will be established.
What configuration is missed which will enable ipsec to drop the tunnel established to the failed IP and to reestablish a new tunnel with the changed/updated dyndns hostname IP automatically.
Thanks
Thomas
-
@thomaspsimon The only thing I can think about right now is DNS cache.
You can try to put something like this in DNS Resolver custom options:
server: forward-zone: name: "dyndns.org." forward-addr: 1.1.1.1 forward-addr: 1.0.0.1 forward-no-cache: yes forward-first: yes@thomaspsimon said in IPSec with dual WAN:
Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.
This shouldn't be necessary if you configured gateway monitor IP in gateway settings correctly.
-
@mcury said in IPSec with dual WAN:
@thomaspsimon The only thing I can think about right now is DNS cache.
You can try to put something like this in DNS Resolver custom options:
server: forward-zone: name: "dyndns.org." forward-addr: 1.1.1.1 forward-addr: 1.0.0.1 forward-no-cache: yes forward-first: yes@mcury thanks for the quick response. Hope you are mentioning about the HO side, but that may not be the reason because :
- a ping to the dydndns host from HO pfsense gives the new IP only in 2-3 minutes time.
- If DNS is the issue, how it gets connected when the branch side pfsense gets rebooted.
@thomaspsimon said in IPSec with dual WAN:
Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.
This shouldn't be necessary if you configured gateway monitor IP in gateway settings correctly.
@mcury default cron job value for dyndns update is as given below :
1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update
hope this means, every one hour. so changed it to :
*/1 * * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update
-
Do you have try enable the Mobike Option on both sitets?
-
@NOCling said in IPSec with dual WAN:
Do you have try enable the Mobike Option on both sitets?
tried, but no luck.
The issue here is Local Host is not changing from the failed WAN IP to the failover WAN IP automatically, without that it will not happen, if i am not wrong. Please see the screenshot.
-
@thomaspsimon said in IPSec with dual WAN:
@NOCling said in IPSec with dual WAN:
Do you have try enable the Mobike Option on both sitets?
tried, but no luck.
The issue here is Local Host is not changing from the failed WAN IP to the failover WAN IP automatically, without that it will not happen, if i am not wrong. Please see the screenshot.
it seems the link https://redmine.pfsense.org/issues/13076 talks about the same issue and an edit to rc.ipsec file fixes the issue.
But didn't get how to make that edit.