VPN fully failover

  • Hi!

    I've just finished a setup with 3 offices, each one with 2 pfsense systems (1.2RC2), each system with 2 wan, according the following schema :


    Not yet deep tested, but all seems to work OK, outgoing connections are load balanced, and if one system goes down, the other one takes the job really quickly. Sticky connection option is enabled, and will add some rules to correct ftp and https issues. So availability and bandwith are maximized, at that point all OK.

    Now we need to guarantee also the maximum availability and bandwith to a VPN system between one office (central) and the other ones (or maybe a meshed setup, all vs. all) in an fully automated way.

    I've been reading all the related documentation, and a lot of forum posts (old ones and new ones).

    My first idea was to use IPSEC, but the named "failover" option, or using the carp ip in newer versions, seems, if i understand correctly, to failover the ipsec tunnels from one system to another, but NOT to failover one tunnel to another inside same system.

    Otherwise, creating tunnels that way :
    office1wan1 <–-> office2wan1
    office1wan1 <---> office2wan2
    office1wan2 <---> office2wan1
    office1wan2 <---> office2wan2
    and add some advanced routing, seems problematic, due to have the same remote subnet in more than one tunnel.

    I guess that another option (more limited) with ipsec is a third system in front acting as a balancer, and only 1 wan in the another two systems, with only 1 tunnel each one, to the same isp wan on the other office. But that option introduces many points of total failure.

    So, if i understand correctly, the only option to fully accomplish this objective with ipsec, will be if in future is implemented some dead peer monitor that do the tunnel failover with given priorities, mantaining only one tunnel active per destination.

    That way, i started studying the openvpn documentation (i've never used before). I found that from 2.0 Openvpn have some failover options builtin. Specifically, in the ovpn client we can specify various remotes, and then according to documentation they will failover. If that works, that could be a possible solution for me, with a scenario where all non main offices establishes the tunnels to the main office, and where the traffic is routed between offices if necessary (almost all traffic endpoint is main office).

    But now i have some doubts, i hope that someone experienced with openvpn can enlight me.

    1. pfSense does not have various remote in the gui, is possible to specify they in custom options field ?

    2. ovpn 2 documentation states that is not necessary anymore to use different ports for each tunnel, so can i specify same port to various tunnels in pfSense ?

    3. I keep asking myself what will happen with the dual wan ovpn pfsense client systems, they have the outgoing traffic load balanced, so the server port can be reached from wan1 or from wan2 during a tunnel usage. So i guess that must use udp instead of the connection oriented tcp for tunnels. If that can work that way, the result is load balaced and failover capable from client, so it would be very very cool. Someone have tested this ? my connections are in production right now with ipsec, and i must schedule if want to do some tests (that surely will do).

    4. can we use a carp ip as ovpn server ip ? will it failover if server system1 gets down to server system 2 automagically ?

    5. is there a way to mantain the tunnel always alive from pfsense client ? a ping or so ... (i'm a little worried with the fact that tunnel is only created in one way).

    Of course, i will be gratefull if anyone shares any working VPN scenario that accomplishes the objectives.

    Also I would like to really thank to developers for that great job!

    best regards,

    Josep M.

  • hello,

    i have the same problematic, so if you have find a solution i am interested.

    let me know, thanks

Log in to reply