Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BGP Routes are not used after IPSec Event

    Scheduled Pinned Locked Moved FRR
    5 Posts 2 Posters 712 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Oremountain
      last edited by

      PFsense 2.4.5p1 on XG-1541 1U HA Setup with FRR 0.6.7_6 (up to date pkg)

      i have multiple EBGP Peers connected via IPSEC Tunnels (VTI) and whenever i get a Change in Phase 1 or restart the IPSEC Service OR deactivate one Tunnel all my BGP Routes disappear and don´t reappear till i restart the BGP Service.

      the Other Peers (different machines, not PFS and older) dont have this Problem.

      this means whenever Phase 1 rekeys my BGP Routes disappear and i´d have Production issues if the PFS Machine wasalready in use.

      i read something about patches that might help and tried them on my Testmachine (VM) which does not resolve the error.

      Z 1 Reply Last reply Reply Quote 0
      • Z
        Zawi @Oremountain
        last edited by

        did you enable Ignore IPsec Restart option?
        Services>FRR>Global Settings

        O 1 Reply Last reply Reply Quote 1
        • O
          Oremountain @Zawi
          last edited by

          @zawi yes. leads to the routes not getting deleted when ipsec goes down and not using an alternative Route.

          works as a workaround to not have to worry as long as we are setting it up but later on it is just as problematic since we are using BGP to minimize Human Administration needs in case one of our multi-ISP Locations loses its primary connection or one Datacenter is only reachable through the direct line to another datacenter due to some circumstances. so having unchanging routes wouldn´t be much of a help.

          Z 1 Reply Last reply Reply Quote 0
          • Z
            Zawi @Oremountain
            last edited by

            try to work around by splitting FRR from Vti
            https://redmine.pfsense.org/issues/10503

            O 1 Reply Last reply Reply Quote 1
            • O
              Oremountain @Zawi
              last edited by Oremountain

              @zawi thats my setup from the beginning.
              IPSEC with VTI.
              Virtual CARP IP Address for both Firewalls.
              BGP Listening on CARP IP.

              edit: CARP IP is on WAN, not the VTI or something.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.