MPLS ipSec Failover Confusion



  • Hello All!

    I cannot for the life of me seem to figure out how to set this up. I'm running pfSense 2.0-RELEASE (been using 2.0 since betas). Basically we have our pfSense router as the primary gateway. We then have another router on the same lan that handles MPLS. In the event that the MPLS link is down id like to connect to the concentrator via ipSec VPN. I cannot seem to figure out how to do the failover for this.

    pfSense LAN IP: 192.168.1.1/24
    MPLS Router IP: 192.168.1.2/24

    I've configured an ipsec VPN for 192.168.2.0/24 on the pfsense box to the concentrator.

    How do i route traffic going to 192.168.2.0/24 through ipsec only on mpls failure?



  • Does the flow go like "computer -> pfsense -> MPLS -> Internet"? If you just need to create a route, then go to System -> Routing and setup a Gateway, then a route using the new gateway.  It could be that you need to have a dedicated machine behind the VPN so that you can connect to it and then access the concentrator.

    Generally I would think your route would go Computer -> VPN server -> pfsense -> internet. This way the VPNed connections would get rerouted based on the VPNs connected and then all the rest of the traffic would be sent on to be routed by pfsense.

    You could also create routes on pfsense to forward all private lans (except for you LAN) on to the VPN. as only private traffic would be going to VPNs.

    Nothing would be auto in a failure though. I don't really know a way to do that either.



  • Thanks for the reply!

    Normal VPN operation:
    Computer -> pfSense -> MPLS Router -> MPLS CLOUD

    Failover VPN operation:
    Computer -> pfSense -> WAN2 -> ipSec Tunnel -> MPLS CLOUD

    Internet would be handles by regular WAN1/WAN2 failover.

    Heres a cheesy 5 min diagram in mspaint:
    RED=Normal
    ORG=Failover

    http://img823.imageshack.us/img823/2064/vpnfailover.png



  • I dont' know of a auto-failover but you could use openvpn and have a disabled site-site vpn. In the even of a failure, you would have to manually change the routes to use VPN and not the MPLS. Same on the other side of the VPN. That is all I can offer though.



  • I tried policy based routing which worked on failure but never switched back :/


Log in to reply