Redundant Site to Site VPN using 2 ISPs and OpenVPN/or IPSec
-
Hello Everyone,
I've read the topic about IPsec and redundancy and I'm a bit confused about it.
http://forum.pfsense.org/index.php?topic=1580.0I try to create a setup with the following goals in mind:
- Site to Site VPN using OpenVPN or IPSec
- Dual WAN connections on the primary site with outbound load balancing for http/https/ftp
- Single WAN conection on the secondary site
- VPN fully redundant, if ISP 1 or 2 goes down, the tunnel stays up.
- (Future needs: Fail over on a 2nd box on each site)
I came with the following design so far:
LAN-1
|
|
|
pfSense1 (Load Balancer + OpenVPN Client side)
| |
| |
| |
ISP1 ISP2
| |
| |
| |
(Internet)
|
ISP3
|
pfSense2 (OpenVPN Server side)
|
|
|
LAN-2Has anyone done this with success ?
Any input appreciated :)
Thanks
mtoadmin
-
Actually, the openvpn trafic orignating from pfSense cannot take advantage of the load balancer.
In order to have a functionnal(FAIL-OVER ONLY) setup on a single box, here's what we did:
If the tunnel goes down, add a route to direct OpenVPN trafic to the other gateway (ISP2)
In the openvpn client configuration, add to the custom options:
up-restart;up /var/etc/yourscript.shIdealy, the script should be linked to the load balancer (for the monitor IPs)
So, there is follow-up in http://forum.pfsense.org/index.php/topic,1650.0.html for the load balancer scripting…mtoadmin