Double Tunnels between two multiwan sites
-
I have a rather simple setup:
Site A: Pfsense 2.1.5 (64 bits)
1 WAN with ISP-1 with public IP
1 WAN with ISP-2 with public IPSite B: Pfsense 2.1.5 (64 bits)
1 WAN with ISP-1 with public IP
1 WAN with ISP-2 with public IPMultiwan is working fine, I currently have and IPSEC tunnel using the ISP-1 links of both sites. However due to several latency related troubles, which are an ISP problem, I switched the IPSEC tunnel to ISP-2 on both sites.
Afterwards I tried to have both tunnels (i.e. ISP-1 to ISP-1 and IPS-2 to ISP-2) active at the same time, but the result is that none of them will be able to establish even phase 1, when we have either tunnel established and tried to start the other one the first tunnel (the one that was already established) will close and loose connectivity.
So the question is: is it possible to have this configuration at all? meaning, 2 IPSEC tunnels active at the same time, each one using its own WAN and public IP, and pointing to the same subnets?
My limited understanding of IPSEC, says that both tunnels should be able to establish phase 1, and even with phase 2 of both tunnels pointing to the same subnet, SPD/SAD should handle the routing, so theoretically this should work, and without any special configuration.
I'm trying to make IPSEC do something it is not designed to do?
Does it has anything to do with the multiwan gateway grouping?
Is this a pfsense restriction/limitation?Any ideas, comments, etc. ?
Thanks
-
Yeah you need to remove uniqueids = yes from the ipsec config.
The option for that is available in the RELENG_2_2 branch in github and will come with 2.2.1 update. -
Are you trying to setup some failover, or do you want to route specific subnets over each of the tunnels, all the time?
-
Thanks ermal, I'll go ahead and try the github version in a test environment, and wait for the 2.2.1 update.
georgeman, yes I'm trying to setup a fail over scenario. Actually we already have multiwan working, meaning that all inbound and outbound traffic to and from the Internet is protected against a single ISP link failure, however between our branches we only use de IPSEC tunnel to route SIP, IAX, H.323, and several other traffic that we don´t want to go out unencrypted.
Maybe I should also mention -and obviously this is a very specific situation with the ISPs here- that we intentionally chose to establish the tunnels between the sites, using the same ISP in both ends, because doing it in any other way severely increases the latency. There is only one NAP that connects ISPs and it tends to be saturated, and unfortunately there are no peering agreements between ISPs. so leaving one ISP network to enter to others one shoots the latency way up.
-
There is always the option to specify a gateway group on the ipsec.
You should be aware of that anyhow maybe its a better solution. -
But, how are you going to turn on or off the Ph2 entries based on which gateway is up? (assuming the Ph1s are always established)
What ermal mentioned is another good option, you can easily achieve it by using dynamic DNS entries for the destination server (tied to the gateway groups on that server)
-
Thanks for pointing me in the right direction. I found this that is related to the issue https://forum.pfsense.org/index.php?topic=58784.15 however as of Sep-14 it's not marked as Solved, and the last comments seem to indicate that they didn't accomplished it. Nevertheless I'm willing to give a try, so I'm setting a test scenario for this. If by any chance you can point to any further instructions, experiences regarding this, I will really appreciate it.
Thanks again.
-
-
The first post you mentioned outlines the process. The patch mentioned is no longer required, there is a system option for that setting.
If both ends are pfSense, it should be pretty straightforward. If the other end is some other vendor, you'll have to figure out a way to accomplish the same behavior (eg, on MikroTik RouterOS, I have configured some scripts which resolve the dynamic DNS hostnames and modify the config accordingly).
Just do it, and post your results ;)