HELP!!! IPSEC Failover



  • Hello to all,
    I would like to share with you a problem I have and maybe someone has an idea!

    I have been trying lately to create 2 IPSec VPNs between 2 pfsense boxes.

    Here is the situation - there is also a drawing attached:
    Site A
    network 192.9.200.0
    Two ADSL routers - gateways to the internet
    A pfSense 2.0RC3 box
    Three interfaces, one for LAN and 2 -WAN and OPT WAN- to connect with each router.

    Site B - in a remote DataCenter
    192.9.100.0
    A pfSense 2.0RC3 box
    Two interfaces, one for LAN and another one for the WAN.

    The idea is to create two IPSec VPNs between Site A and Site B.
    One (VPN1) between Site A\WAN and Site B\WAN, through gateway 1
    and one (VPN2) between Site A\OPT WAN and Site B\WAN, through gateway 2.

    Then some iPs of Site A will be routed through VPN1 and some other through VPN2.

    I have been able to connect the two VPNs but there seems to be a routing problem.

    For example, a Site A client attempts to connect to a server on Site B. Then:

    • the firewall log in Site A states that the request is allowed to go out to Site B
    • the firewall log in Site B states that the request is allowed to come in to Site B
    • the firewall log in Site B states that the reply is allowed to go out to Site A
    • the firewall log in Site A states that the request is blocked by default deny rule!

    There seems to be a problem in the way packets are routed from Site B back to Site A.
    pfSense box on Site B probanly routes the replies through the wrong?!? VPN….
    I have read somewhere that pfSense is sensitive to behaviors where the reply comes in through another gateway.

    The above happens even if all firewalls are set with simple allow any to any rules.

    So the question is, is there a way that we can force the remote pfSense box to route each packet through the correct VPN?
    A static route maybe at the IPSec interfaces? Can this be done?

    Is there another idea on how to implement this?

    Many thanks guys
    Timos & Dmitry


Log in to reply