• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IKEv2 Site-to-Site and MultiWAN on one side

IPsec
ipsec ddns multi-wan issue
5
32
2.9k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    stephenw10 Netgate Administrator
    last edited by Sep 23, 2024, 12:58 PM

    You can use an FQDN there and have it be a DynDNS name that fails over. Or setup two tunnels.

    If it's inbound you can just allow connections from any remote peer.

    1 Reply Last reply Reply Quote 0
    • P
      patrick.pesegodinski @stephenw10
      last edited by Oct 10, 2024, 11:43 AM

      @stephenw10 said in IKEv2 Site-to-Site and MultiWAN on one side:

      Does it try to connect out to the wrong IP or just disallow incoming connections from the WAN it's not expecting? Or both I guess?

      One thing you can do here it to set the remote gateway to 0.0.0.0/0 and use an identifier type other than IP address. That will allow connections from both WANs but the tunnel can then only ever be established from the multi-wan side.
      If you do try that you should check 'Disable Auto-added VPN rules' in Sys > Adv > Firewall and add your own rules to allow the IPSec traffic in from only the two remote WAN IPs. Otherwise the auto rule will allow IPSec connections from any IP. Connections will fail as they won't have the right credentials but the logs will be filled with drive-by connection attempts, potentially.

      Steve

      Would this configuration help to connect IPsec on the link that is tier2?

      I can only connect my tunnels to the link that is tier1.

      1 Reply Last reply Reply Quote 0
      • S
        stephenw10 Netgate Administrator
        last edited by Oct 10, 2024, 1:28 PM

        Well if you set one side to allow traffic from any IP address (0.0.0.0/0) then connections can only be established from the other end. That would be the multiwan end. You can set a tunnel to use a backup WAN specifically if you need to.

        If you set a tunnel on a failover group it will always try to use the lowest tier WAN. That can be a different group so the VPN uses a different WAN than other traffic.

        P 1 Reply Last reply Oct 10, 2024, 1:38 PM Reply Quote 0
        • P
          patrick.pesegodinski @stephenw10
          last edited by Oct 10, 2024, 1:38 PM

          @stephenw10 said in IKEv2 Site-to-Site and MultiWAN on one side:

          Well if you set one side to allow traffic from any IP address (0.0.0.0/0) then connections can only be established from the other end. That would be the multiwan end. You can set a tunnel to use a backup WAN specifically if you need to.

          If you set a tunnel on a failover group it will always try to use the lowest tier WAN. That can be a different group so the VPN uses a different WAN than other traffic.

          Even though I configure the backup WAN in the tunnel, it doesn't connect, I can only connect to the main WAN. I don't know if I'm forgetting some configuration.

          I have 3 wans and some ipsec tunnels, I would like to balance these tunnels between the 3 wans, but I get stuck connecting them all to the main one.

          1 Reply Last reply Reply Quote 0
          • S
            stephenw10 Netgate Administrator
            last edited by Oct 10, 2024, 2:14 PM

            If you're not using a gateway group on the multiwan end and the other side is connecting to one of the non-default WANs by IP that should connect fine.

            How does it fail? What errors are shown?

            P 1 Reply Last reply Oct 10, 2024, 2:20 PM Reply Quote 0
            • P
              patrick.pesegodinski @stephenw10
              last edited by Oct 10, 2024, 2:20 PM

              @stephenw10 I use "gateway groups" with these wans, could that be the problem? Can't the wan belong to a gateway group?

              1 Reply Last reply Reply Quote 0
              • S
                stephenw10 Netgate Administrator
                last edited by Oct 10, 2024, 2:30 PM

                The existence of a gateway group should not prevent other services being set to use a specific WAN even if it's in a group.

                P 1 Reply Last reply Oct 10, 2024, 4:19 PM Reply Quote 0
                • P
                  patrick.pesegodinski @stephenw10
                  last edited by Oct 10, 2024, 4:19 PM

                  @stephenw10 Logs:

                  🔒 Log in to view

                  🔒 Log in to view

                  🔒 Log in to view

                  1 Reply Last reply Reply Quote 0
                  • S
                    stephenw10 Netgate Administrator
                    last edited by Oct 10, 2024, 4:22 PM

                    OK that looks like the other end is not seeing the replies for some reason.

                    Check the state table at both ends.

                    Which end are those logs from?

                    P 1 Reply Last reply Oct 10, 2024, 4:24 PM Reply Quote 0
                    • P
                      patrick.pesegodinski @stephenw10
                      last edited by Oct 10, 2024, 4:24 PM

                      @stephenw10 This is the side that has the two wans.

                      1 Reply Last reply Reply Quote 0
                      • S
                        stephenw10 Netgate Administrator
                        last edited by Oct 10, 2024, 4:31 PM

                        Ok so it sees the incoming request on the correct WAN and replies but the other end never sees that reply because it just sends the initial request again.

                        So either that reply is not actually being sent or it's send incorrectly somehow. Or something in the route is blocking it.

                        I'd first check the state tables at each end. If that doesn't show something obvious then run a pcap at both ends to confirm replies are being sent and received.

                        P 1 Reply Last reply Oct 10, 2024, 4:36 PM Reply Quote 0
                        • P
                          patrick.pesegodinski @stephenw10
                          last edited by Oct 10, 2024, 4:36 PM

                          @stephenw10 The table pfsense with two wan:

                          🔒 Log in to view

                          The table other pfsense:

                          🔒 Log in to view

                          1 Reply Last reply Reply Quote 0
                          • S
                            stephenw10 Netgate Administrator
                            last edited by Oct 10, 2024, 4:51 PM

                            OK so never makes it to the firewall state at the remote end.

                            Run pcaps and make sure it's leaving the multiwan end correctly.

                            1 Reply Last reply Reply Quote 0
                            • S
                              stephenw10 Netgate Administrator
                              last edited by Oct 10, 2024, 4:52 PM

                              You might also try just pinging between those sites using that WAN as source and see if it gets to the remote side as expected.

                              P 1 Reply Last reply Oct 10, 2024, 5:11 PM Reply Quote 0
                              • P
                                patrick.pesegodinski @stephenw10
                                last edited by Oct 10, 2024, 5:11 PM

                                @stephenw10
                                I think I found the problem. I was using this configuration:

                                🔒 Log in to view

                                Because I used 0.0.0.0 in remote gateway.

                                After I switched to, it worked.

                                🔒 Log in to view

                                1 Reply Last reply Reply Quote 0
                                • S
                                  stephenw10 Netgate Administrator
                                  last edited by Oct 10, 2024, 5:14 PM

                                  You should be able to use ASN at both ends as long as it all matches.

                                  P 1 Reply Last reply Oct 10, 2024, 5:22 PM Reply Quote 0
                                  • P
                                    patrick.pesegodinski @stephenw10
                                    last edited by Oct 10, 2024, 5:22 PM

                                    @stephenw10 With ASN, the tunnel only connects to the WAN with tier1.

                                    I block the ping protocol on both WANs for external requests, could this affect the IPsec request?

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      stephenw10 Netgate Administrator
                                      last edited by Oct 10, 2024, 5:25 PM

                                      Does that ASN resolve to the other WAN IP perhaps?

                                      P 1 Reply Last reply Oct 10, 2024, 5:46 PM Reply Quote 0
                                      • P
                                        patrick.pesegodinski @stephenw10
                                        last edited by Oct 10, 2024, 5:46 PM

                                        @stephenw10 I think so.

                                        How do I test?

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          stephenw10 Netgate Administrator
                                          last edited by Oct 10, 2024, 6:52 PM

                                          Just try to resolve it somewhere. In Diag > DNS Lookup in pfSense for example.

                                          If you use an IP address or something actually resolves it must match the actual address IPSec is using.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.