IPsec multi-wan failover
-
IPsec peers can be hostnames.
The identifier is left as "My IP Address" and "Peer IP Address". The remote gateway for IPsec is the dyndns hostname.
-
jim, what were the changes in 2.1 that facilitated this new IPsec multi-wan failover feature ?
-
I'd have to dig through the code, I don't recall, it's been several months. databeestje originally did the work.
-
Hi.
I have setup this with 2 pfsense 2 dedicated static IP WAN.
Results are not what I expect:
Wen WAN1 goes down on Local PFsense:
Dyn update failovergroup.
Firewall rules usingย failover group as wan acts correctly.
IPSec tunnel does not UP. Logs show that is trying to use WAN1 IP adress to stablish tunel. Remote pfsense does not permit connections from that peer.Remote PFSense:
IPSec tunnel goes down after timeout, as Dyn hostname has been updated, IPSec tries to stablish tunnel to new IP Address, Remote PFsense does not respond.
IPSec logs shows a unknown peer trying to stablish a connection to local ipsec port.Solution:
I have to restart racoon service on Local PFSense for racoon start using WAN2 IP.Same results if WAN1 goes down on Remote PFSense.
Is there a way to add than when routing changes due multiwan failover, a service(s) can be restarted?
-
Try the patch from this ticket:
http://redmine.pfsense.org/issues/2896 -
Thank you so much.
I will try it.
-
I have the same issue but I don't know how to apply the path
-
Did anyone ever do do this successfully?
Also, has anyone successfully done multi-wan failover with a sonicwall?
I also do not know how to apply the patch mentioned except to manually make the changes which doesn't seem like the best idea.
-
The patch is no longer needed. There is a checkbox to activate the behavior on 2.1 (System > Advanced, Misc tab, under IP Security)
-
Ah, got it. So I guess there's no way to use mutiple gateways for the remote side except to use Dynamic DNS?
-
Flojose, what was the behavior after you appplied the patch code?
Results as expected ?
-
Can this be done if one side of the VPN is not a pfSense? I am going to a Fortigate on Fiber in Atlanta with a pfSense in Michigan with Cable and DSL connections.
Thanks!
-
Can this be done if one side of the VPN is not a pfSense? I am going to a Fortigate on Fiber in Atlanta with a pfSense in Michigan with Cable and DSL connections.
Did you ever get an answer on this? I have a similar scenario and before I bang my head against the wall just wanted to know if you got it working.
-
No unfortunately.
-
Hello guys,
I have the pfSense firewall 2.1.3 and need configure ipsec failover with sonicwall. I know that sonicwall have the option for add the second peer in the configuration ipsec vpn, very easy.
Do you configure failover ipsec vpn?
-
Hi to all, anyone has test it again this with new versions of psense or have experience?
Also knows some dns service as dyndns but free?, i have one side of the ipsec tunel with three internet providers with CARP so having this feature will be amazing.
How i can create the group routing pointing to the group?, i have statics ips on both sides free to use.
Thanks
-
Hi to all, anyone has test it again this with new versions of psense or have experience?
Also knows some dns service as dyndns but free?, i have one side of the ipsec tunel with three internet providers with CARP so having this feature will be amazing.
How i can create the group routing pointing to the group?, i have statics ips on both sides free to use.
Thanks
Hi,
I can help you with the tests, ok.ย ย Do you have dyndns service like a noip.com ?
-
I have a watchguard firewall on one end with Muiltiwan when going from watchgaurd to watchguard it works fine.
I now want to connect the Muilti wan watchgaurd over Ipsec VPN to a pfsence box with one wan connection.
What setup needs to be done on the both sides to get this to work so the pfsence knows what remote peer to connect to .
Right now it works when the connection it dropped but it will not drop the connection and failover to the preferred peer.
Thanks
-
The patch is no longer needed. There is a checkbox to activate the behavior on 2.1 (System > Advanced, Misc tab, under IP Security)
I am sorry, I can not find the checkbox in 2.2.6-RELEASE (amd64), under (System > Advanced, Misc tab, under IP Security), there is:
"These settings have moved to VPN > IPsec on the Advanced Settings tab. "And in (VPN > IPsec on the Advanced Settings tab.) none of the options seems to be related, there are just these sections:
IPsec Logging Levels
Unique IDs
IP Compression
Strict interface binding
Unencrypted payloads in IKEv1 Main Mode
Maximum MSS
Disable Cisco Extensions
Strict CRL Checking
Make before Break
Auto-exclude LAN addressHowever in documentation (https://doc.pfsense.org/index.php/Advanced_IPsec_Settings) is mentioned "Force IPsec Reload on Failover".
Or the checkbox disappeared because IPsec multi-wan failover is performed reliably and IPsec restart is not needed anymore?
Thank you
-
pfSense 2.2 and later uses a different IPsec daemon that no longer requires that setting.
