IPsec redundancy / fail over (not carp)

  • I've searched - but maybe I missed it. I saw several statements relating to 1.2 and earlier that it wasn't possible. I have a few ideas / questions….

    I want to enable multiple site VPN failover. At each site is a SINGLE pf sense box. Each site has two WAN's (one wan, optwan). If a tunnel on WAN becomes unavailalble I would like to bring up the tunnel on Optwan.

    The idea of multiple tunnels (and a manual change over) IS possible, but with 10 sites, and 2 providers, with one central node I'd be looking at a rediculous number of tunnels. With manual editing of tunnels, I'd be looking at an error prone process for 2am.

    If manual failover is still the only option, can someone offer me some pointers on how I might use dead peer detection or possibly a script to change the enabled / disabled state of the tunnels?

    What about using DNS in the IPsec configuration - could this reduce the number of tunnels required?

    i.e. instead of:

    Tunnel1: Dev1Wan1<->Dev2Wan1
    Tunnel2: Dev1Wan1<->Dev2Wan2
    Tunnel1: Dev1Wan2<->Dev2Wan1
    Tunnel1: Dev1Wan2<->Dev2Wan2

    I could have:

    Tunnel1: Dev1Wan1<->ACCEPT(Dev2Wan1 or Dev2Wan2)
    Tunnel2: Dev1Wan2<->ACCEPT(Dev2Wan1 or Dev2Wan2)
    And a similar set of two tunnels on Dev2 (but only two tunnels per side instead of 4).

    Or is there a suggested method of pushing a config change by script?

    With ssh remotely I could trigger the script.

    One thing I've considered is generating the config XML on a server and causing the remote site to pull a new config (or just the affected section?) which could adjust the IPsec config.

    In the future it might be nice to extend this concept to allow for CARP as well for sites that have backup devices, but I'd like to keep the idea in mind...

    Can anyone share their thoughts? I'm still reading the book ;-) (Thanks!)


  • Rebel Alliance Developer Netgate

    You'd be better off going with OpenVPN for this, I believe. It can already list multiple peers per tunnel (via the advanced config options)

    If you can have two public IPs at each site some static routes would ensure that traffic for each peer gets routed over the proper link, but it may be doable without that also.

  • Does anyone have a guide or similar on doing something like this?  Because this is something I am going to need in the coming months for my company as well!  And we will have the same exact setup as the OP.

    Our central location will be running a server that our 6 satellite locations will need uninterrupted access to via VPN throughout the day for our POS system to function.

  • I want to achive the samething. and figured it out in my head. im a complete noob with firewalls ipsec and such. but here is what i think mayb would work. (if not pleas let me know)

    at the main-office use 2 pfsense boxes. with carp(on lan) with both different wan's
    setup 1 tunnel to your sub-office and configure your sub-office to accept vpn tunnels from both main-office wan addresses (or maybe a roadwarrior setup).

    the only thing that would smash the system would be a connection loss from the suboffice side.

    in my situation. only the main-office has multi wan. the sub-offices dont so this would work for me. not sure if your situation is the same.

    our situation is one main office, there are 3sub-offices connecting to the main office. the main office has 2 Internet connections (wan) that is my theoretical solution voor the problem. not yet ready to test this at the moment.

    EDIT: this will not work :( my bad. the setup is unable to detect if the wan connection is still up :(

    maybe its possible with the load balance (failover) option. i am configuring a setup to see if i can get this to work.

  • I have a similar setup (with OpenVPN rather than ipsec) and use openbgpd to setup the routes.

  • @ask:

    I have a similar setup (with OpenVPN rather than ipsec) and use openbgpd to setup the routes.

    Could you post a little more details on your setup?

  • You'll have to learn a little about BGP and routing to make it work; but basically you just setup openbgpd on each site announcing its routes to two neighbors at the other side – each neighbor configuration would be using the openvpn IPs for one of the redundant links.  You can use 'set metric 10' (or 20 or ...) to bump the "cost" of one link over the other.  (There are other ways, too, but 'set metric' is easy and works fine in small setups).

    Each site will have its own AS -- private AS numbers are between 64512 and 65535.

Log in to reply