Switch to secondary CARP on IPSEC fail



  • I was wondering if there is anyway to make it so if an ipsec tunnel goes down on Primary to force it to switch to the Secondary.  I read somewhere there is a tool that will down the lan port if for example the wan port goes down, but could you make that work with an ipsec tunnel instead of a wan port?

    Here is my idea if you want more information:

    Site1:
                        LAN
                          |
                      CARP IP
              |_
              |                          |
        pfsense1                pfsense2
              |                          |
          wan(isp1)              wan(isp2)
              |                          |
            ipsec                    ipsec

    Site 2:
            ipsec                    ipsec
              |                          |
          wan(isp1)              wan(isp2) 
              |                          |
        pfsense3                pfsense4
              |________________|
                          |
                      CARP IP
                          |
                        LAN 2

    So if pfsense1 or the tunnel from pfsense1-pfsense3 went down LAN1 would now use pfsense2 and LAN2 would use pfsense4.  Make sense?  Can it work?

    Thanks!



  • Another idea, is there a script or somewhere that will help me write one that will, on pfsense1, constantly ping pfsense3 and if the ping fails it downs LAN interface?  Then I would do the same on pfsense3 to monitor pfsense1.  Any Ideas?  Or any BSD guys out there that could point me in the right direction?
    Thanks



  • You are making your life complicated here.

    You need to connect both WANs to each pf in the CARP cluster ie

    Site1:
                        LAN
                          |
                      CARP IP
              |_
              |                          |
        pfsense1–(SYNC)---pfsense2
              |                          |
          wan(isp1)            wan(isp1)     
          wan(isp2)            wan(isp2)
              |                          |
            ipsec                    ipsec

    Site 2:
            ipsec                    ipsec
              |                          |
          wan(isp1)            wan(isp1)     
          wan(isp2)            wan(isp2)
              |                          |
        pfsense3---(SYNC)---pfsense4
              |________________|
                          |
                      CARP IP
                          |
                        LAN 2

    On pf we have preemption by default so it one interface goes (ie LAN) the others are failed across as well.

    In the CARP settings tab there is a "Synchronize ipsec" option checking this will make pf copy your ipsec settings to the slave node. Then is your master fails the ipsec will continue on the slave.



  • Well from what I have read, you cannot have two tunnels to the same subnet on different isp's(go to the dual wan/routing section and tons of people have asked how to do a failover vpn but everyone says it is currently not possible), so in order for me to handle an isp fail I wanted to have isp1 on pfsense1 and isp2 on pfsense2 and monitor the other end of the tunnel so if the isp or the pfsense goes down it will fail to pfsense2 and the backup isp.  If there is a way to do a failover vpn, I suggest you go into the dual wan/routing section and let everyone know.
    Thanks


Log in to reply