IPsec multi-wan failover



  • Has anyone had any experience configuring this?  It is listed as an option:  http://doc.pfsense.org/index.php/2.1_New_Features_and_Changes

    I have 2 offices with Multi-Wan failover due to problematic internet connections and both locations have IPSEC tunnels going back to the hub(Office) location and need the VPN tunnel to be able to stay up if the WAN fails over.

    Any tutorials???

    Each location has only one pfsense box.  Not Carp


  • Rebel Alliance Developer Netgate

    It should work fine though for pfSense to pfSense you need both the IPsec tunnel set to a failover gateway group and a DynDNS entry set to the same failover gateway group, and then use that dyndns host as the remote peer address for the other side.

    Then when WAN1 fails to WAN2, the dyndns IP changes, so the far side knows to accept the new peer, and that’s where IPsec will start connecting from.



  • Are there any tutorials for this process?  I have not been able to find one…


  • Rebel Alliance Developer Netgate

    Not yet. That’s really all there is to it though.

    Setup DynDNS, set to use a failover gateway group.
    Setup IPsec to use the same failover gateway group.
    Set the other end to use the dyndns host as the peer address.



  • but DynDns uses a name and the gateways require IP addresses so I am not following you.


  • Rebel Alliance Developer Netgate

    IPsec peers can be hostnames.

    The identifier is left as “My IP Address” and “Peer IP Address”. The remote gateway for IPsec is the dyndns hostname.



  • jim, what were the changes in 2.1 that facilitated this new IPsec multi-wan failover feature ?


  • Rebel Alliance Developer Netgate

    I’d have to dig through the code, I don’t recall, it’s been several months. databeestje originally did the work.



  • Hi.

    I have setup this with 2 pfsense 2 dedicated static IP WAN.

    Results are not what I expect:
    Wen WAN1 goes down on Local PFsense:
    Dyn update failovergroup.
    Firewall rules using  failover group as wan acts correctly.
    IPSec tunnel does not UP. Logs show that is trying to use WAN1 IP adress to stablish tunel. Remote pfsense does not permit connections from that peer.

    Remote PFSense:
    IPSec tunnel goes down after timeout, as Dyn hostname has been updated, IPSec tries to stablish tunnel to new IP Address, Remote PFsense does not respond.
    IPSec logs shows a unknown peer trying to stablish a connection to local ipsec port.

    Solution:
    I have to restart racoon service on Local PFSense for racoon start using WAN2 IP.

    Same results if WAN1 goes down on Remote PFSense.

    Is there a way to add than when routing changes due multiwan failover, a service(s) can be restarted?


  • Rebel Alliance Developer Netgate

    Try the patch from this ticket:
    http://redmine.pfsense.org/issues/2896



  • Thank you so much.

    I will try it.



  • I have the same issue but I don’t know how to apply the path



  • Did anyone ever do do this successfully?

    Also, has anyone successfully done multi-wan failover with a sonicwall?

    I also do not know how to apply the patch mentioned except to manually make the changes which doesn’t seem like the best idea.


  • Rebel Alliance Developer Netgate

    The patch is no longer needed. There is a checkbox to activate the behavior on 2.1 (System > Advanced, Misc tab, under IP Security)



  • Ah, got it. So I guess there’s no way to use mutiple gateways for the remote side except to use Dynamic DNS?



  • Flojose, what was the behavior after you appplied the patch code?

    Results as expected ?



  • Can this be done if one side of the VPN is not a pfSense? I am going to a Fortigate on Fiber in Atlanta with a pfSense in Michigan with Cable and DSL connections.

    Thanks!



  • @sollostech:

    Can this be done if one side of the VPN is not a pfSense? I am going to a Fortigate on Fiber in Atlanta with a pfSense in Michigan with Cable and DSL connections.

    Did you ever get an answer on this? I have a similar scenario and before I bang my head against the wall just wanted to know if you got it working.



  • No unfortunately.



  • Hello guys,

    I have the pfSense firewall 2.1.3 and need configure ipsec failover with sonicwall. I know that sonicwall have the option for add the second peer in the configuration ipsec vpn, very easy.

    Do you configure failover ipsec vpn?



  • Hi to all, anyone has test it again this with new versions of psense or have experience?

    Also knows some dns service as dyndns but free?, i have one side of the ipsec tunel with three internet providers with CARP so having this feature will be amazing.

    How i can create the group routing pointing to the group?, i have statics ips on both sides free to use.

    Thanks



  • @niccarp89:

    Hi to all, anyone has test it again this with new versions of psense or have experience?

    Also knows some dns service as dyndns but free?, i have one side of the ipsec tunel with three internet providers with CARP so having this feature will be amazing.

    How i can create the group routing pointing to the group?, i have statics ips on both sides free to use.

    Thanks

    Hi,

    I can help you with the tests, ok.    Do you have dyndns service like a noip.com ?



  • I have a watchguard firewall on one end with Muiltiwan when going from watchgaurd to watchguard it works fine.

    I now want to connect the Muilti wan watchgaurd over Ipsec VPN to a pfsence box with one wan connection.

    What setup needs to be done on the both sides to get this to work so the pfsence knows what remote peer to connect to .

    Right now it works when the connection it dropped but it will not drop the connection and failover to the preferred peer.

    Thanks



  • @jimp:

    The patch is no longer needed. There is a checkbox to activate the behavior on 2.1 (System > Advanced, Misc tab, under IP Security)

    I am sorry, I can not find the checkbox in 2.2.6-RELEASE (amd64), under (System > Advanced, Misc tab, under IP Security), there is:
    "These settings have moved to VPN > IPsec on the Advanced Settings tab. "

    And in (VPN > IPsec on the Advanced Settings tab.) none of the options seems to be related, there are just these sections:
    IPsec Logging Levels
    Unique IDs
    IP Compression
    Strict interface binding
    Unencrypted payloads in IKEv1 Main Mode
    Maximum MSS
    Disable Cisco Extensions
    Strict CRL Checking
    Make before Break
    Auto-exclude LAN address

    However in documentation (https://doc.pfsense.org/index.php/Advanced_IPsec_Settings) is mentioned “Force IPsec Reload on Failover”.

    Or the checkbox disappeared because IPsec multi-wan failover is performed reliably and IPsec restart is not needed anymore?

    Thank you


  • Rebel Alliance Developer Netgate

    pfSense 2.2 and later uses a different IPsec daemon that no longer requires that setting.



  • @jimp:

    Setup DynDNS, set to use a failover gateway group.
    Setup IPsec to use the same failover gateway group.

    I’ve done this and the DynDNS works fine, updating the IP as the interfaces go up and down. But the IPSEC config isn’t getting updated unless I manually reload it. Did I miss anything?
    ps: I’m using this group in a Mobile Ipsec, not site-to-site.



  • I figured out what was wrong.

    I was testing this failover feature by “marking the gateway as down”, right at the “System -> Routing -> Edit Gateway -> Force State”.
    This causes the DDNS service to imediatly update your DDNS record, but not the IP in the IPSEC conf file. Now I tested the failover by using the “ifconfig emx down” command, and this time both DDNS (though with some minor delay when compared to the previous option) and IPSEC updated the IP according to the active gateway’s IP.

    So, IPSEC doesn’t update it’s active gateway’s IP when using the “mark this gateway as down” option. Is this working as intended?



  • And, we still have the bug that I posted:

    IPSEC bound to WAN gateway group and Dynamic DNS doesn’t to fail back tunnel to WAN on DDNS update
    https://redmine.pfsense.org/issues/6370

    What can I do to get this issue looked at? It still an open bug, but, not confirmed nor assigned for fixing.



  • Same here.
    Got a fast but unstable Vodafone cable Link (primary) and a slow but solid Telekom ADSL (backup).
    Last night, the cable link went down and up again several times. Due to the setting “enable default gateway switching” my servers were still reachable via a DynDns, but my site2site Ipsec tunnel (to DR Location) would use the wrong IP even after DynDns being updated.
    The tunnel was still shown as active in the morning, but no traffic was passing. Using the Restart button to restart IPSec did NOT solve the Problem, manually stopping and starting IPsec again DOES solve the problem…

    Had the same behaviour several times before…

    BTW: using latest 2.3.1_5

    @Steven Perreau: Did you also post a Bug report on Github?  Is this necessary / useful / recommended? I don’t know which platform ist used by the Developers…



  • @st_rupp:

    Using the Restart button to restart IPSec did NOT solve the Problem, manually stopping and starting IPsec again DOES solve the problem…

    I was working on a dual-WAN system yesterday where one of the links was flapping.  Had the exact same problem. Scratched my head for a while before trying what you did (completely stopping and then afterwards starting the Ipsec service)



  • @jimp:

    Not yet. That’s really all there is to it though.

    Setup DynDNS, set to use a failover gateway group.
    Setup IPsec to use the same failover gateway group.
    Set the other end to use the dyndns host as the peer address.

    Sorry but i don’t have DynDNS access to make the setup because both firewall are in my internal network(no internet access), so exist  another way to work ipsec  over multi-wan failover
    sorry about my English


  • Rebel Alliance Developer Netgate

    No, Dynamic DNS is the only viable way at the moment.

    Use an internal dynamic DNS server then. Setup BIND somewhere with an RFC2136 dynamic zone and have the other firewall use it to resolve hosts for a private domain.

    That’s all out of scope for this thread/board though.



  • another question… can i use gateway group in the local endpoint??? because it are show in  my interface list
    @jimp:

    No, Dynamic DNS is the only viable way at the moment.

    Use an internal dynamic DNS server then. Setup BIND somewhere with an RFC2136 dynamic zone and have the other firewall use it to resolve hosts for a private domain.

    That’s all out of scope for this thread/board though.

    i was think make that but unknown  how to, i’m using windows server 2012 as internal DNS Server …  is possible make over it?? or another possible solution found here  http://arkanis.de/weblog/2015-11-27-build-your-own-dyndns  correct me please thank


  • Rebel Alliance Developer Netgate

    If it’s an internal DNS server on one side or the other, then you’d have to expose that to the Internet which probably isn’t what you want. It’s best to have it be a server with a dedicated static address if possible. If it’s all internal you end up in a catch 22/chicken-egg scenario. To reach the DNS server you need the VPN, but without the VPN, you can’t reach the DNS server.



  • IPSEC failover using Dynamic DNS and multi WAN has never worked properly on any of my sites since 2.2. It has with all my testing just hung, never updated the dynamic DNS and never failed over. It looks like bug 7719 which is fixed in 2.4.0 looks like it finally solves Dynamic DNS. It looks like it was an issue with gateway groups.

    https://redmine.pfsense.org/issues/7719

    I will be testing as soon as 2.4.0 is released and I’ll report my findings!



  • @Steven:

    IPSEC failover using Dynamic DNS and multi WAN has never worked properly on any of my sites since 2.2. It has with all my testing just hung, never updated the dynamic DNS and never failed over. It looks like bug 7719 which is fixed in 2.4.0 looks like it finally solves Dynamic DNS. It looks like it was an issue with gateway groups.

    https://redmine.pfsense.org/issues/7719

    I will be testing as soon as 2.4.0 is released and I’ll report my findings!

    Does it work?



  • I haven’t tested extensively, but the 2.4.0 update did not seem to resolve failover issues on my end. Would be really interested in results from other people though.



  • Dear All,

    Is there any recent guides on this topic? Finally I’d like to implement multi-wan fail-over, but can’t understand completely how. The main concern is do I have to use Dynamic DNS or it is possible to avoid this technique and use a sort of routing protocols?
    On other side for me it’s not a must to use IP Sec, I take OpenVPN to achieve my goal.

    Thanks for your replies in advance!



  • Right, my latest testing on 2.4.3 is ddns still does NOT work.

    I can’t believe that the pfsense team with the various tickets and bugs aren’t actually fixing things and not testing it, (e.g. bug 8333) so that got me thinking.
    https://redmine.pfsense.org/issues/8333

    I wonder if the issue is:

    My gateway group consists of 2 CARP entries, WAN1 carp and WAN2 carp and I wonder wonder wonder if that’s why ddns just never updates!

    However, as it stands today, 2 pfsense in an HA cluster with multi WAN (WAN1 and WAN2) - on failing WAN1, ddns entry goes RED on the status pages but never actually updates and goes green with the WAN2 carp address.



  • Well, i’m one more with the same problem.

    First of all, PFsense 2.4.2, both sides with Group Gateway Failover, DDNS on Remote Gateway.

    So, i’m reading a lot of articles and, … i’ll test a single change at IPSEC configuration. VPN > IPSEC > Advanced Configuration > Configure Unique IDs as NO.

    Why ? https://blog.bravi.org/?p=1209

    I don’t know if i misunderstood, but, i’ll try this shot …


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy