BGP Routes are not used after IPSec Event
-
PFsense 2.4.5p1 on XG-1541 1U HA Setup with FRR 0.6.7_6 (up to date pkg)
i have multiple EBGP Peers connected via IPSEC Tunnels (VTI) and whenever i get a Change in Phase 1 or restart the IPSEC Service OR deactivate one Tunnel all my BGP Routes disappear and don´t reappear till i restart the BGP Service.
the Other Peers (different machines, not PFS and older) dont have this Problem.
this means whenever Phase 1 rekeys my BGP Routes disappear and i´d have Production issues if the PFS Machine wasalready in use.
i read something about patches that might help and tried them on my Testmachine (VM) which does not resolve the error.
-
did you enable Ignore IPsec Restart option?
Services>FRR>Global Settings -
@zawi yes. leads to the routes not getting deleted when ipsec goes down and not using an alternative Route.
works as a workaround to not have to worry as long as we are setting it up but later on it is just as problematic since we are using BGP to minimize Human Administration needs in case one of our multi-ISP Locations loses its primary connection or one Datacenter is only reachable through the direct line to another datacenter due to some circumstances. so having unchanging routes wouldn´t be much of a help.
-
try to work around by splitting FRR from Vti
https://redmine.pfsense.org/issues/10503 -
@zawi thats my setup from the beginning.
IPSEC with VTI.
Virtual CARP IP Address for both Firewalls.
BGP Listening on CARP IP.edit: CARP IP is on WAN, not the VTI or something.