Recommended configuration for IPSEC with HA



  • Hello,

    I've bought a pair of XG1537 but have had difficulty locating information about the recommended way to set up IPSEC in a high availability mode. All the HA documentation I've found seems to cover CARP, pfsync and XMLRPC only.

    There are two scenarios I'm interested in:

    1. Where I control both ends of the link - the far end could be a single pfSense, or another HA pfSense pair.

    2. Where the remote end is some third-party box that I don't control, and they don't support BGP or VTI (just regular IPSEC tunnel mode).

    In scenario (1) it looks like I have a number of choices. I could set up IPSEC tunnels between the CARP addresses (it looks like I can set a CARP as the local WAN endpoint); or I could set up a mesh of VTI links directly between the primary and secondary nodes, and use BGP to failover between them. This would involve setting up IPSEC separately on primary and secondary nodes, but gives me the advantage that tunnels stay up even during failover.

    In scenario (2) I really want to give the third-party a single end-point address to connect to.

    So the question is: can I use the CARP address as an IPSEC endpoint? If so is there any special configuration I need to do to make this work? Does XMLRPC sync the IPSEC configuration? That would push me towards tunnels between CARP endpoints.

    Thanks in advance,

    Brian.



  • Yes, you can use a CARP address as the IPSec endpoint. There is an option to sync IPSec configuration in the XMLRPC Sync options on the HA Sync page.