IPSec VPN & load balancing with two DSL connections
Hi All, I have a netgate running PFSense and have successfully setup Ipsec VPN tunnels which is working great.
I have two DSL connections which are configured in two gateway groups and are assigned to different traffic types. I assume in an active passive way.
With all the COVID-19 stuff going on we're looking to get some people working from home and I was wondering if it was possible to set the IPSEC vpn tunnels to work on a load balance of the two DSL connections?
Is there a guide somewhere on how to do that?
Apologies if that's a bit of a ramble happy to clarify :-).
The tl;dr answer is: Not effectively. Not for IPsec.
To load balance across two IPsec tunnels you would need a several things things. Note that this assumes pfSense on both ends.
- Tunnels setup using routed IPsec on both tunnels on both ends (VTI, assigned interfaces, etc)
- Gateway groups using equal tier values for both routed IPsec tunnel interface gateways
- Policy routing rules setup on the LAN(s) directing traffic for the VPN to use the gateway group
One of either:
4a. Return routing to ensure that packet replies go back out the interface they entered -- This is where it breaks down the most, since on FreeBSD, the
pfdoesn't work on IPsec interfaces. Without this, traffic will always return over one interface (whichever has a static route back to the remote end)
4b. NAT on the IPsec interfaces so the remote side will send the traffic back the expected path -- NAT+VTI have some issues, but this may work in some cases, but it adds NAT which would break some protocols which otherwise would work inside a VPN
As you can probably tell from that, even if it did work, it also doesn't scale well to multiple remotes, since you'd need another pair of tunnels+interfaces+gateways+rules for every peer, and definitely isn't an option for mobile IPsec.
You can use multiple links for site-to-site redundancy by ditching the policy routing and using a dynamic routing protocol like BGP or OSPF to manage the routes and failover.
Another potential workaround doesn't involve VPNs at all: If both your links are from the same ISP, and the ISP supports MLPPP, you may be able to setup MLPPP bonding so both DSL connections are aggregated into a single virtual link which could potentially use the sum total of both circuits in bandwidth. But that 100% depends on your ISP supporting it.
@jimp thanks for the tips. I think that's a bit complicated for our needs certainly right now and certainly last minute like it currently is.
Any ideas why I can't create another ipsec tunnel and point it at the other dsl connection ? I mean I can but the authentication options don't allow me to point it at my radius. I only have Mutual PSK and Mutual (something else) as options in the drop down....
I had hoped I could set up another ipsec tunnel tied to the second DSL connection, but it doesn't seem to let me.