Switch to secondary CARP on IPSEC fail

jmcentire · Nov 21, 2007, 7:03 PM

I was wondering if there is anyway to make it so if an ipsec tunnel goes down on Primary to force it to switch to the Secondary. I read somewhere there is a tool that will down the lan port if for example the wan port goes down, but could you make that work with an ipsec tunnel instead of a wan port?

Here is my idea if you want more information:

So if pfsense1 or the tunnel from pfsense1-pfsense3 went down LAN1 would now use pfsense2 and LAN2 would use pfsense4. Make sense? Can it work?

Thanks!

jmcentire · Nov 22, 2007, 8:23 AM

Another idea, is there a script or somewhere that will help me write one that will, on pfsense1, constantly ping pfsense3 and if the ping fails it downs LAN interface? Then I would do the same on pfsense3 to monitor pfsense1. Any Ideas? Or any BSD guys out there that could point me in the right direction?
Thanks

morbus · Nov 22, 2007, 9:42 AM

You are making your life complicated here.

You need to connect both WANs to each pf in the CARP cluster ie

On pf we have preemption by default so it one interface goes (ie LAN) the others are failed across as well.

In the CARP settings tab there is a "Synchronize ipsec" option checking this will make pf copy your ipsec settings to the slave node. Then is your master fails the ipsec will continue on the slave.

jmcentire · Nov 22, 2007, 8:09 PM

Well from what I have read, you cannot have two tunnels to the same subnet on different isp's(go to the dual wan/routing section and tons of people have asked how to do a failover vpn but everyone says it is currently not possible), so in order for me to handle an isp fail I wanted to have isp1 on pfsense1 and isp2 on pfsense2 and monitor the other end of the tunnel so if the isp or the pfsense goes down it will fail to pfsense2 and the backup isp. If there is a way to do a failover vpn, I suggest you go into the dual wan/routing section and let everyone know.
Thanks