Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPsec Multi-Wan Failover Pfsense 2.1

    HA/CARP/VIPs
    3
    6
    4975
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cem KIZIL last edited by

      Hello,

      I want to do Multi-Wan Failover with Ipsec. I searched but i cant find an usefull thing. I need your help.

      We have main and branch offices. Every office have 2 wan networks.

      Main Office:

      Wan A
      Wan B

      Branch Office

      Wan C
      Wan D

      We have 2 ipsec connection both offices.

      1. Wan A > Wan C (Online)
      2. Wan B > Wan D (Offline Backup Manually)

      I want that when 1. ipsec is down than automatically 2. ipsec connection have to be active.

      How can i do this? Or Is there any other path i can do?

      Best Regards.

      1 Reply Last reply Reply Quote 0
      • dotdash
        dotdash last edited by

        A. Current version is 2.3.2, get your system updated.
        B. No way to switch both sides automatically.

        1 Reply Last reply Reply Quote 0
        • C
          Cem KIZIL last edited by

          Thank you for your answer.

          I will update soon.

          2 wan ipsec failover can not be done correctly, right?

          Do you have any suggestion about failover for this system?

          1 Reply Last reply Reply Quote 0
          • dotdash
            dotdash last edited by

            One side can be done with a dyndns target, see here:
            https://forum.pfsense.org/index.php?topic=58784.0
            You could try to work up something with GRE tunnels and a routing package, but you're on your own there.
            It's not automatic, but you can keep the second tunnel disabled, and have a monitoring system alert you so you can manually switch to the backup tunnel.

            1 Reply Last reply Reply Quote 0
            • C
              Cem KIZIL last edited by

              Thank you. :)

              1 Reply Last reply Reply Quote 0
              • luckman212
                luckman212 LAYER 8 last edited by

                Cem,

                I know you emailed me privately, but I figured since you also posted here I would reply again on the public forum in case others would benefit from the discussion. As I said in my private email, I highly suggest you try OpenVPN if you are dealing with multi-wan (and maybe dynamic IPs?).  It is just more suited to your task than IPSEC at this point.  If you must use IPSEC then as dotdash mentioned, you can use a DynDNS-type service tied to a gateway group so that your endpoints will get updated automatically if one link goes down.  Keep in mind that even if your DNS provider allows for very short TTL's (5 minutes is basically the practical lower limit) you will have some downtime before this failover happens until DNS propagates and adjusts.  It could be anywhere from 1-10 minutes.  I have done this and yes it does work but it is not ideal and sometimes a simple alert & manual intervention can be faster.

                Good luck (kolay gelsin) ;)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post