Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to have a redundant VPN setup natively supported by Windows clients?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 912 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      reinaldo.gomes
      last edited by

      Hello, folks! I really hope you can help me with this issue.

      I have a scenario where I must setup a client-to-site VPN with a couple prerequisites:

      • It MUST be natively supported by Windows clients. The reason being due to some application's limitation. The dev team will most likely laugh at my face if I say they will have to write some extra code or work with a third party VPN client (so much for OpenVPN).

      • Clients MUST be able to reach the VPN gateway through 2 public IPs, for redundancy sake. Ideally they should be simultaneously reachable (obviously not by the same user, in the same connection), but as a last resort they could work in pure failover mode.

      I believe PPTP and SSTP are completely out of question in pfSense 2.3.x. L2TP and Ikev2 doesn't seem to allow a second setup, for a secondary IP address.

      A co-worker of mine said he was able to obtain load-balanced PPTP connections with something called "iproute2" on Centos/Iptables. But I REALLY wanted to migrate things over to pfSense.

      How can I have network redundancy while using a protocol natively supported by Windows clients?

      I have some obscure ideas of my own, but I would like to achieve this with a scenario where I have a single pfSense box facing my WAN connection, and being used as the VPN endpoint.

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        IKEv2 should work provided you have a few things setup:

        1. The cert must have both WAN IP addresses listed as SANs, on top of the usual settings
        2. The DNS record for the firewall should update to the correct IP address that will receive clients (e.g. dyndns)
        3. The mobile IPsec tunnel would need to be set to use the same failover group as the dyndns entry
        4. You'll probably need to activate default gateway switching under System > Advanced on the Misc tab

        I haven't tried that, but in theory it should work…

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • R Offline
          reinaldo.gomes
          last edited by

          Thank you so much for you answer, jimp. You're always very helpful.

          "3. The mobile IPsec tunnel would need to be set to use the same failover group as the dyndns entry"

          I've tried setting it up just as you said in this topic:
          https://forum.pfsense.org/index.php?topic=58784.msg315915#msg315915

          Everything works fine, except that the ipsec.conf won't reload automatically when the DynDNS is updated (https://forum.pfsense.org/index.php?topic=58784.msg628621#msg628621). I had to manually reload configs/service in order for it to acknowledge the group's new active IP. I'd appreciate if you could help me out with that too.

          Anyway, there's no way to make the VPN accessible simultaneously through 2 different IPs when using mobile Ipsec, right? Is OpenVPN the only way I can make it work in pfSense?

          4. You'll probably need to activate default gateway switching under System > Advanced on the Misc tab

          I don't think that's needed. I configured a gateway group in load-balance mode (same tiers) and set it up as the Ipsec "interface". Obviously it wouldn't work, as there can only be one IP at a given time in my ipsec.conf's "left=" parameter, but I could see that the traffic always leaves through the same interface in which it came in. Needless to say, it works just the same when in failover mode. Not that it really matters, just saying that pfSense handles it very well.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.