Failover SIte to Site Ipsec's

brcisna

Hello All,

Running (2) pfSense 1.2.3-RELEASE at two school buildings. Everything is working great!
Question: Is there any reason I can not make 'dual' / failover site to site IPSEC VPN's over these two pfSense boxes?
Scenario: We have had this happen a couple times over the few months. If the "primary isp' connection goes down,( which I have configured for a site to site VPN),,if the existing single site to site VPN becomes non-functional. If I would set up a seconed site to site VPN on the 'secondary' wan interfaces of each pfSense box,will they simply work if the primary ISP connection goes down,or do I HAVE to keep one of the two VPN's down,and then manually enable whichever VPN is functional?
I was wondering if having both ipsec vpn's enabled all the time if this would cause a loop much the same as a bridge?
This is of course on a multi-wan setup boxes.
I have never seen anything for this in the pfSense How To's section,which kind of surprises me.

Thanks,
Barry

jimp

The way IPsec works, you can't have two active tunnels covering the same internal networks.

If you are doing this between two pfSense boxes, OpenVPN would be the better way to go. I have setup redundant OpenVPN settings with multi-wan that work perfectly. The trick is you don't let OpenVPN do the routing, you run a routing protocol such as OSPF on the tunnel, and it handles the routing.

sollostech

Is there any documentation on how to do this? I have the book.

@jimp:

The way IPsec works, you can't have two active tunnels covering the same internal networks.

If you are doing this between two pfSense boxes, OpenVPN would be the better way to go. I have setup redundant OpenVPN settings with multi-wan that work perfectly. The trick is you don't let OpenVPN do the routing, you run a routing protocol such as OSPF on the tunnel, and it handles the routing.

jimp

No, there isn't any info in the book on that scenario, though it might be in the 2.0 book.

It's something we have helped commercial support subscribers setup (and that we do internally in some places) but afaik nobody has written up a howto.

sollostech

I have been working towards purchasing commercial support, but had been planning on doing it after 2.0 ships. I would love to get OpenVPN working for a large client for mobile users, and site-to-site with VPN failover and passing Wide-area Bonjour.

Arthur

hi,

i make this with dyndns ip.
I put my dyndns client in a lan machine, and i use loadbalancer in pfsense to load balance the webaccess of this lan machine.
if wan1 up then webaccess use wan1 else wan2. so my dyndns ip is the UP ip.

then i use this dyndns ip to create my vpn.

pf1.dyndns.org <–----- vpn -----> pf2

when my first wan is down my dyndns ip is update by my lan machine to my wan2 ip,  and  so the pf2 come from my wan2 to re UP my vpn channel.

hope that 's help !