Dual IPSec Tunnels with failover and routing problem

IPsec
Log in to reply
  • H

    Hi,

    I am trying to setup a VPN connection that uses 2 IPSec tunnels to seperate geological locations and which provides failover for traffic to the remote network (see attachment with xxx.xxx.xxx.xxx being the public internet IP of the pfSense box and - not seen -  the subnet NATed to the server at 192.168.10.25).

    The tunnels themselves are defined and come up / stay stable but I am hitting my forehead on the deak to get the routing working in pfSense (2.3.2).

    I tried defining 2 Gateways (but could not select IPSec as interface)  put them in a failover group and wanted to add a static route but as the endpoint is the same for both it would not let me enter the second route.

    What I try to do would look like this on Linux (using StrongSwan for IPSec with vti0 / vti1 being the interfaces of the tunnels) :

    ip route add 172.16.199.192/30 dev vti0 table 220
ip route add 10.131.208.0/24 dev vti0 table 220 metric 10

ip route add 172.16.199.196/30 dev vti1 table 220
ip route add 10.131.208.0/24 dev vti1 table 220 metric 20

iptables -t nat -A PREROUTING -s 10.131.208.0/24 -d 172.16.199.200/29 -j DNAT --to-destination 192.168.10.25
iptables -t nat -A POSTROUTING -d 10.131.208.0/24 -j SNAT --to-source 172.16.199.200/29

    Any pointers highly appreciated.
    ![Netzplan- ATLAS.png](/public/imported_attachments/1/Netzplan- ATLAS.png)
    ![Netzplan- ATLAS.png_thumb](/public/imported_attachments/1/Netzplan- ATLAS.png_thumb)

    0
  • 0

    Your scenario is very similar to mine.

    I have two tunnels going, the first tunnel is working as a charm but, the second tunnel not so much.
    I am trying to pass traffic as indicated by the pfSense book but it is not working.
    The idea of the tunnel is to pass traffic to reach networks on the other side of the tunnel but, in pfSense there is no way to direct traffic to the tunnel as per the book; it is built in the BSD kernel.

    Still looking for a solution but it seems the forum is quite.

    0
  • G

    It can be done, but it is a bit more complicated than that. Regular IPsec cannot be managed through the regular routes.

    You could setup GRE tunnels over IPsec transport mode between the public IPs. Then use a routing protocol (like RIP or OSPF) to actually handle the routing and failover

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy