Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Running two IPSEC tunnels between two multi-wan sites

    IPsec
    2
    2
    71
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bp81 last edited by bp81

      Scenario: I have two locations, HQ and Branch Office. Both HQ and Branch Office have two separate ISPs for redundancy. IP addressing looks like this:

      HQ Public IP1: 1.1.1.1
      HQ Public IP2: 2.2.2.2
      Branch Office IP1: 3.3.3.3
      Branch Office IP2: 4.4.4.4

      HQ's internal private IP network: 10.0.0.0/24
      Brance Office's internal private IP network: 10.1.0.0/24

      A single IPSEC tunnel between them is simple enough, the tunnel (P1) would link between 1.1.1.1 and 3.3.3.3. The P2 security association would look like 10.0.0.0/24 <> 10.1.0.0/24.

      Now, let's say I want some redundancy with my VPN just like I do with my WANs at these locations. Say then that I create a second tunnel (P1) that links between 2.2.2.2 and 4.4.4.4. Works well enough so far I'd assume, but what happens when the secondary tunnel linking 2.2.2.2 and 4.4.4.4 create a P2 security association that duplicates the P2 from the primary VPN tunnel?

      My questions are, will this work? Does it cause problems? Will it fail? If it does work, is there a way to make traffic favor one tunnel over another? I am not interested in link balancing in this case, the secondary is purely to be used a hot standby if I need to take down the primary tunnel for some reason.

      If this type of setup doesn't work or doesn't work well, is there a method by which I can make a tunnel establish itself over the secondary WAN addresses if the primary tunnel goes down, in an automatic failover kind of fashion?

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        You can't do that with policy-based tunnels.

        You have two choices:

        1. Keep the policy-based tunnels and setup Dynamic DNS and gateway groups on both sides so that if a WAN fails, the switches the hostname and single IPsec tunnel to the other WAN. This works, but takes a long time to switch since it relies on DNS (several minutes, most likely)
        2. Ditch the policy-based tunnels and use VTI. Configure two tunnels (1.1.1.1<->3.3.3.3, 2.2.2.2<->4.4.4.4) and use FRR with either OSPF or BGP to handle the routing. When setup properly, dynamic routing protocols are smart enough to detect when a path is down and use the other alternate path in a timely manner.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy