Two different VPN in pfsense
-
HI, please hekp me) pfsens is installed, the first provider with IPVPN is connected to it, the second provider with open Internet is also connected, I want to make the first provider always active, but as soon as it falls, pfsens switches to IPSEC through the second provider, can I implement such a scheme?
-
What you're looking for is the metric for an interface. If you run ifconfig, you will see each interface has the default metric of 0. If you want to increase the metric or cost of an interface, you use the metric option in ifconfig. So, you'd leave the main interface at 0 and assign some other number to the VPN. This way, the VPN would be used only when the main connection is failed. I haven't tried this in pfSense or FreeBSD, but it works on my Linux notebook, where WiFi has a higher metric than Ethernet and so is used only when there is no Ethernet connection. You might also have to use gateway monitoring to ensure failure detection.
-
You can do that as long as the IPSec connection is route based (VTI).
To failover like that you need to use gateway groups and only a route based IPSec tunnel creates a gateway you can use there.
https://docs.netgate.com/pfsense/en/latest/multiwan/load-balance-and-failover.htmlSteve
-
@stephenw10 hello, VTI will most likely help me, but I don’t understand how to deal with routing. Site A and site B are connected through the main channel of the IPVPN, IPSEC is a backup channel. When site A and site B are connected via IPVPN, the route from the 10.212.25.0/24 network to the 10.222.0.0/16 network will receive the BGP from the site B list prefix, the packets are transmitted, everything works. When IPVPN link goes down, traffic should be sent over IPsec link, but traffic is not transmitted, no route, when I create static route 10.222.0.0/16 gateway 10.244.244.2, traffic starts going from site A to site B. When IPVPN link goes up, traffic is still transmitted through the IPSEC channel, when IPSEC is disabled, traffic is not transmitted through the IPVPN, since I made a static route for IPSEC, I delete the static route 10.222.0.0 and only then traffic from site A to site B begins to be transmitted. I don’t understand how to use MULTIWAN and DINAMICROUTE in this scheme. Need to make a route specifically to a specific site
-
@denis_ts said in Two different VPN in pfsense:
VTI will most likely help me
VTI is the only way is can work with IPSec. With policy based IPSec the traffic will always use the IPSec tunnel so you must be using VTI before troubleshooting further.
What VPN type is "IPVPN" using? OpenVPN? As long as it's also route based (like OpenBPN) it should work.
Do you see the BGP announcements working over both VPN links?
-
@stephenw10 HI, IPVPN is a service from the ISP, they let our local traffic through their routers. If I have IPVPN and IPSEC active, IPVPN works until I add routes to remote nodes through IPSEC, I add new a route and traffic stops going trough IPVPN, how much can I automatically add routes through IPSEC when IPVPN is not available?
-
You are using BGP to add the routes over IPSec right?
If it's always sending traffic across that then it's becoming the preferred route and you need to reduce it's preference so it's only used as backup.
How is the BGP over IPVPN setup though. Is that just between your routers or does that also include the ISPs routers centrally? That could complicate things significantly.
