Multiple tunnels on same wan



  • I am using 1.2.3-Release and trying to setup a vpn triangle between 2 co location sites and our office.

    I have two pfsense firewalls at each site for redundancy and have setup carped interfaces for for lan, dmz and wan at the co lo sites and just a lan at the office. Im now trying to setup reliable ipsec tunnels so I can connect all of this together using the following guide http://doc.pfsense.org/index.php/VPN_Capability_IPsec. It has been helpful on setting up one tunnel but the minute i add more it become unreliable and it would be helpful to have a few questions answered just to confirm its not my setup.

    1. can i setup multiple tunnels using the same carped ip address. so two connection from the office to colo1 for each subnet (lan,dmz)would all use the same ip addresses each end of the tunnel.
    2. should i use a common ps-key or does it need to be different for each tunnel.
    3. is it worthwhile having the ping keepalive on so the tunnel stays up constantly. Im assuming there will be a delay in establishing the tunnel if no traffic passes over it for a while.
    4. what do you do to test a stable connection, things like pump 100Gig through the tunnel using iperf would spring to my mind(im testing this locally at the minute before it goes offsite)

    many thanks for any help given.



  • I managed to get this setup so this is what I found

    1. you can use the same ip address for multiple tunnels
    2. I have used different keys + identifier for each tunnel
    3. I setup a keepalive but not sure if its needed
    4. Setup iperf to send as much traffic as possible through all the links for an hour or so and watched to make sure non of the connections dropped. They did about every 6 minutes but came backup within a few seconds which isnt ideal but i can probably cope with.

Log in to reply