• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

MPLS ipSec Failover Confusion

Scheduled Pinned Locked Moved Routing and Multi WAN
5 Posts 2 Posters 3.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    kantlivelong
    last edited by Sep 20, 2011, 7:35 PM

    Hello All!

    I cannot for the life of me seem to figure out how to set this up. I'm running pfSense 2.0-RELEASE (been using 2.0 since betas). Basically we have our pfSense router as the primary gateway. We then have another router on the same lan that handles MPLS. In the event that the MPLS link is down id like to connect to the concentrator via ipSec VPN. I cannot seem to figure out how to do the failover for this.

    pfSense LAN IP: 192.168.1.1/24
    MPLS Router IP: 192.168.1.2/24

    I've configured an ipsec VPN for 192.168.2.0/24 on the pfsense box to the concentrator.

    How do i route traffic going to 192.168.2.0/24 through ipsec only on mpls failure?

    1 Reply Last reply Reply Quote 0
    • P
      podilarius
      last edited by Sep 20, 2011, 8:18 PM

      Does the flow go like "computer -> pfsense -> MPLS -> Internet"? If you just need to create a route, then go to System -> Routing and setup a Gateway, then a route using the new gateway.  It could be that you need to have a dedicated machine behind the VPN so that you can connect to it and then access the concentrator.

      Generally I would think your route would go Computer -> VPN server -> pfsense -> internet. This way the VPNed connections would get rerouted based on the VPNs connected and then all the rest of the traffic would be sent on to be routed by pfsense.

      You could also create routes on pfsense to forward all private lans (except for you LAN) on to the VPN. as only private traffic would be going to VPNs.

      Nothing would be auto in a failure though. I don't really know a way to do that either.

      1 Reply Last reply Reply Quote 0
      • K
        kantlivelong
        last edited by Sep 20, 2011, 8:23 PM

        Thanks for the reply!

        Normal VPN operation:
        Computer -> pfSense -> MPLS Router -> MPLS CLOUD

        Failover VPN operation:
        Computer -> pfSense -> WAN2 -> ipSec Tunnel -> MPLS CLOUD

        Internet would be handles by regular WAN1/WAN2 failover.

        Heres a cheesy 5 min diagram in mspaint:
        RED=Normal
        ORG=Failover

        http://img823.imageshack.us/img823/2064/vpnfailover.png

        1 Reply Last reply Reply Quote 0
        • P
          podilarius
          last edited by Sep 20, 2011, 8:33 PM

          I dont' know of a auto-failover but you could use openvpn and have a disabled site-site vpn. In the even of a failure, you would have to manually change the routes to use VPN and not the MPLS. Same on the other side of the VPN. That is all I can offer though.

          1 Reply Last reply Reply Quote 0
          • K
            kantlivelong
            last edited by Sep 21, 2011, 3:48 PM

            I tried policy based routing which worked on failure but never switched back :/

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received