How to have a redundant VPN setup natively supported by Windows clients?



  • Hello, folks! I really hope you can help me with this issue.

    I have a scenario where I must setup a client-to-site VPN with a couple prerequisites:

    • It MUST be natively supported by Windows clients. The reason being due to some application's limitation. The dev team will most likely laugh at my face if I say they will have to write some extra code or work with a third party VPN client (so much for OpenVPN).

    • Clients MUST be able to reach the VPN gateway through 2 public IPs, for redundancy sake. Ideally they should be simultaneously reachable (obviously not by the same user, in the same connection), but as a last resort they could work in pure failover mode.

    I believe PPTP and SSTP are completely out of question in pfSense 2.3.x. L2TP and Ikev2 doesn't seem to allow a second setup, for a secondary IP address.

    A co-worker of mine said he was able to obtain load-balanced PPTP connections with something called "iproute2" on Centos/Iptables. But I REALLY wanted to migrate things over to pfSense.

    How can I have network redundancy while using a protocol natively supported by Windows clients?

    I have some obscure ideas of my own, but I would like to achieve this with a scenario where I have a single pfSense box facing my WAN connection, and being used as the VPN endpoint.


  • Rebel Alliance Developer Netgate

    IKEv2 should work provided you have a few things setup:

    1. The cert must have both WAN IP addresses listed as SANs, on top of the usual settings
    2. The DNS record for the firewall should update to the correct IP address that will receive clients (e.g. dyndns)
    3. The mobile IPsec tunnel would need to be set to use the same failover group as the dyndns entry
    4. You'll probably need to activate default gateway switching under System > Advanced on the Misc tab

    I haven't tried that, but in theory it should work…



  • Thank you so much for you answer, jimp. You're always very helpful.

    "3. The mobile IPsec tunnel would need to be set to use the same failover group as the dyndns entry"

    I've tried setting it up just as you said in this topic:
    https://forum.pfsense.org/index.php?topic=58784.msg315915#msg315915

    Everything works fine, except that the ipsec.conf won't reload automatically when the DynDNS is updated (https://forum.pfsense.org/index.php?topic=58784.msg628621#msg628621). I had to manually reload configs/service in order for it to acknowledge the group's new active IP. I'd appreciate if you could help me out with that too.

    Anyway, there's no way to make the VPN accessible simultaneously through 2 different IPs when using mobile Ipsec, right? Is OpenVPN the only way I can make it work in pfSense?

    4. You'll probably need to activate default gateway switching under System > Advanced on the Misc tab

    I don't think that's needed. I configured a gateway group in load-balance mode (same tiers) and set it up as the Ipsec "interface". Obviously it wouldn't work, as there can only be one IP at a given time in my ipsec.conf's "left=" parameter, but I could see that the traffic always leaves through the same interface in which it came in. Needless to say, it works just the same when in failover mode. Not that it really matters, just saying that pfSense handles it very well.