Redundant Site to Site VPN using 2 ISPs and OpenVPN/or IPSec



  • Hello Everyone,

    I've read the topic about IPsec and redundancy and I'm a bit confused about it.
    http://forum.pfsense.org/index.php?topic=1580.0

    I try to create a setup with the following goals in mind:

    • Site to Site VPN using OpenVPN or IPSec
    • Dual WAN connections on the primary site with outbound load balancing for http/https/ftp
    • Single WAN conection on the secondary site
    • VPN fully redundant, if ISP 1 or 2 goes down, the tunnel stays up.
    • (Future needs: Fail over on a 2nd box on each site)

    I came with the following design so far:

    LAN-1
       |
       |
       |     
    pfSense1 (Load Balancer + OpenVPN Client side)
    |   |
    |   |
    |   |         
    ISP1 ISP2
    |   |
    |   |
    |   |
    (Internet)
       |
      ISP3
       |   
    pfSense2 (OpenVPN Server side)
       |
       |
       |
      LAN-2

    Has anyone done this with success ?

    Any input appreciated  :)

    Thanks

    mtoadmin



  • Actually, the openvpn trafic orignating from pfSense cannot take advantage of the load balancer.
    In order to have a functionnal(FAIL-OVER ONLY) setup on a single box, here's what we did:
    If the tunnel goes down, add a route to direct OpenVPN trafic to the other gateway (ISP2)
    In the openvpn client configuration, add to the custom options:
    up-restart;up /var/etc/yourscript.sh

    Idealy, the script should be linked to the load balancer (for the monitor IPs)
    So, there is follow-up in http://forum.pfsense.org/index.php/topic,1650.0.html for the load balancer scripting…

    mtoadmin


Locked