LAN TO LAN WITH 4 VPN TUNNEL (REDUNDANT)
-
Noted. I should wait until IPSec on OPT1 will be fixed. Then, do you think IPSec failover will be possible with outgoing loadbalancing if OPT1 IPSec is available? Of course in this case we can use only one pfsense for failover.
Thank you.
-
It should just work the way it's drawn without failover IPSEC settings. Just noticed you only have one WAN (ISP3) at the opposite end and not like before 2 isps.
-
I think it does not work because of the conflict of same local subnet from pfsenes1 and pfsense2 at the remote end network. In order to succeed in IPSec failover, the first tunnelling of pfsense1-pfsense3 should be remove clearly before the second tunnelling of pfsense2-pfsense3 will be established. In case of my above diagram, the first and second tunnelling are established at once and one of those two tunnels does not work even if one of ISP disconnets and I can access to internet through another pfsense.
Is there any way to remove the first tunnel automatically when another one is trying to establish tunnel? And only one IPSec tunnel should be allowed when both of ISP1 and ISP2 are connected.
Thank you.
-
pfSense3 is waiting for mobile clients. pfSense1's WAN is failing and pfSense2 is establishing the IPSEC as there no w is traffic for the remote subnet due to becoming the gateway. For pfSense3 this should just look like the IP of pfSense 1 has changed. I have setups like this where one pfSense sits at a dynamic IP and it works fine. Maybe http://www.pfsense.org/mirror.php?section=tutorials/mobile_ipsec/ helps how to configure it.
-
Of course, I tested with pfsense3 wainting for mobile client. The problem is that pfsense3 cannot figure out disconneting of pfsense1 and it remember the tunnel with pfsense1 even after pfsense1 disappear. So the LAN subnet of pfsense1 and pfsense2 conflicts on pfsense3 because pfsense1 and pfsense2 has same LAN subnet and then the tunnel of pfsense2-pfsense3 does not work. Is there any solution of this problem?
-
Try "prefer old IPSEC SA" setting at system>advanced at all ends and see if that makes a difference. If that doesn't help try using smaller lifetimes (like 300 seconds). This way a tunnel should expire after 5 minutes and the backupmachine then will hopefully be able to connect though this means some downtime until the tunnel will be estblished again on failover.
-
Noted, I will try and let you know of the result. Thank you, Hoba.
-
I test it and run fine, work's tunnel in OPT-WAN Interface !
LAN
|
(PfSense 1)
| |
ISP1(WAN) ISP2 (OPT-WAN)
| |
| |
( Internet )
|
|
ISP3
|
|
pfSense2 (waiting for mobile clients)
|
LANI test this configuration and run ok, but don't automatically.
- Both pfsense have static ip.
- pfsense 1 have load-balancer
- The tunnel is stablish with ISP1 and ISP3 using in pfsense3 mobile clients.
- If ISP1 is down i enter in pfsense1 and only change in ipsec WAN Interface to OPT-WAN Interface, and in WAN Gateway write the
OPT-WAN GATEWAY - save and go to diagnostic-ping and all run fine, now vpn is stablished from OPT-WAN PFsense1 to WAN movile client of PFsense 2
the unique problem in this configuration is thats is manuall, but for now work's for me
-
Might be easier to have both tunnels configured and just disable the one or the other tunnel for the manual failover.
-
I've not tested ipsec redundant with carp and ifdepd because I need it at Wrap but the package of ifdepd is not available at embedded system. I'm waiting 1.0 version which will be available package installation at embedded system.
And according to Martinc_77's message the IPsec problem at OPT1 interface was already solved. I tested it with Wrap but IPsec at OPT1 interface does not work yet. Is there anyone who tested it with Wrap? I'd like to know whether only I have this problem. I used pfsense RC2 for testing.
Thank you.
-
pfSense 1.0 won't have packagesupport on embedded platforms. Where did you read that? I have tested IPSEC on OPT Interfaces during the hackathon, however I have not tested with hosts coming not from the OPT subnet. In that case it might be possible to add a static route for the remote IPSEC endpoint through the OPT interface gateway.
-
Dear hoba, IPSEC at OPT Interfase works but only if i add static route! This is a bug ? This is solve in RC3 ??
Tks
-
What kind of rule do you need to make this work? Please provide an example.
-
I need add the next rule in STATIC RUTE HOBA:
–---------------------------------------------------------------------------------------
INTERFASE NETWORK GATEWAYOPT1 <the other="" end-point="" of="" vpn=""> <the opt1="" gateway="">-----------------------------------------------------------------------------------------
NOTE: OPT1 AND WAN INTERFASE ARE IN MODE LOAD BALANCER
EXAMPLE:
VPN IS RUN IN WAN INTERFASE, THEN, WAN INTERFASE IS DOWN AND I CHANGE IN VPN-IPSEC THE RULE. MANUALLY CHANGE THE WAN INTERFASE WITH OPT1 INTERFASE AND ANY HAPPEND BUT IF I ADD THE PREVIUS STATIC ROUTE VPN IS UP AGAIN WITH OPT1 INTERFASE.
THE QUESTION IS:
BECAUSE NEED ADD THE STATIC ROUTE IF THE RULE IN VPN-IPSEC CONFIGURATION HAS ALL THE INFORMATION THAT PFSENSE NEED ??THIS IS A BUG??</the></the>
-
Thear hoba:
Plz need help, cant resolve this problem.I will become crazy
My config is the next.LAN
|
(PfSense 1)
| |
ISP1
(WAN) ISP2 (OPT-WAN)
| |
| |
( Internet )
|
|
ISP3
|
|
pfSense2 (waiting for mobile clients)
|
LAN- Both pfsense have static ip.
- pfsense-1 have load-balancer & squid
- The tunnel is stablish with ISP1 and ISP3 using in pfsense3 mobile clients. At less ISP1 is down then Switch to ISP2
The nexts problem happend
when ISP1 is down:
A) I change manually the IPSEC VPN Start Point to ISP2, (Now Tunnel is between ISP2 and
ISP), but not connection is stablish at less add the next static route :
<opt1> <destination 32="" end="" point=""> <opt1-gw>B) PFSENSE Can't resolve DNS at less add the next statis route:
<opt1> <destination 32="" dns="" server=""> <opt1-gw>C) Squid (Running in pfsense 1) don't work any form.Problems A & B resolve with staric route, C can't but when ISP1 is up again, i need change again the IPSEC VPN Start Point (because isp1 is better) and delete all static route. The really problem is write and delete a static continuously with time I criticize of production that this uses.
My Idea is only change the ISP START POINT MANUALLY (ONLY CHANGE COMBO IN IPS-VPN) and all work fine. It is there possible? Is not, know u other solution. Any solution for squid when WAN is DOWN?</opt1-gw></destination></opt1></opt1-gw></destination></opt1>