Move IPsec to next Tier when previous Tier is unstable but still up



  • Hello,

    I've got a Multi-WAN setup with a IPsec site-to-site tunnel on our SG-2440.

    When the first tier WAN is unstable, packets are dropped but the tunnel is still "up". For that reason, pfSense doesn't reconnect the tunnel over the next tier WAN even though the first WAN is now in the "packet loss"/"high latency" state.

    Furthermore, I suspect that if and when the tunnel finally goes down for excessive packet loss or high latency, it is still reconnected through the highest tier WAN if that's still technically up. (But I've been unable to verify this in a definitive way).

    As a workaround I've been changing the tiers and reconnecting the tunnel manually whenever the problem arises, but it clearly goes against the point of having a $549 Intel Atom machine that's supposed to manage exactly these problems  :P

    Is anyone in a similar situation? How can it be handled?



  • I would love to hear if anyone else has come up with a reliable solution for this, we experience the same issue. Currently the most reliable method I have found is to manually stop (not restart) the ipsec service in the web gui, then start it back up. The tunnel will then rebuild on whatever tier is currently active.

    From what I have read it seemed to work when pfsense was using racoon for ipsec, but after switching to strongswan its been unreliable at best.

    I believe the official way is to setup Dynamic DNS and use that as your local identifier. The ipsec tunnel is supposed to move to whatever tier is active, but that has not been my experience.



  • @barnettd:

    I believe the official way is to setup Dynamic DNS and use that as your local identifier. The ipsec tunnel is supposed to move to whatever tier is active, but that has not been my experience.

    That may be "the official way" but there's no way I'll do that in production. (And from what you tell me it doesn't work anyway.)

    I don't like this situation. IPsec with tiered gateways is supposed to be supported, they can't just throw in whatever OSS daemon they find, observe that it kinda works and call it a day…



  • Totally agree. We have been moving our small remote sites from ASA 5505s to the SG-2440s, but the ipsec issue has been a major pain point and I'm starting to regret our move…
    The ASAs are more expensive and are more limited, but ipsec failover worked really well.



  • @barnettd:

    Totally agree. We have been moving our small remote sites from ASA 5505s to the SG-2440s, but the ipsec issue has been a major pain point and I'm starting to regret our move…
    The ASAs are more expensive and are more limited, but ipsec failover worked really well.

    Yeah… I installed one at my house, one at my company's office and one for a client just a few weeks ago. That will be the last one and this great pfSense adventure is gonna be over.

    I chose to support it, but I regretted it. I'm probably gonna switch everything over to MikroTik and Ubiquiti. The first one provides real support without spending in the thousands and the second one always seems to just work (& is incredibly cheap).

    Good luck!


Log in to reply