Anyone Sucessful with Redundant VPN connections?



  • I've found a bunch of posts asking about it, but has anyone been successful in creating a redundant VPN connection between 2 sites, each with 2 isp's?



  • The closest I've come is creating a parallel tunnel on the second WAN and disabling it. When the primary of either site fails, you can manually disable the primary tunnel and enable the secondary. Not automatic or graceful, but it works.



  • Well, I have an idea, (maybe someone in this section can help):
    Have two pfsense firewalls at each location, isp1 into pfsense1, isp2 into pfsense2(and the same at the second location).  Have CARP setup so that pfsense1 can failover to pfsense2.  Here is a simple diagram:

    LAN 1
                          |
                      CARP IP
              |_
              |                          |
        pfsense1–(SYNC)--pfsense2
              |                          |
          wan(isp1)            wan(isp2)   
              |                          |
            vpn                      vpn
              |                          |
          wan(isp1)            wan(isp2)   
              |                          |
        pfsense3--(SYNC)--pfsense4
              |________________|
                          |
                      CARP IP
                          |
                        LAN 2

    Then have a script or tool that pings the pfsense box on the other side of the VPN tunnel(so pfsense1 would ping pfsense3, pf3 would ping pf1 and so on), then as soon as pings would fail the script would force the primary pfsense firewall at each location to failover(maybe by taking the lan interface down) to the secondary which already has a tunnel up and running between pf2 and pf4.

    Does this make sense?  Is it possible(I haven't played with CARP yet)?  Anyone have any ideas on the script to monitor the other side of the tunnel?

    It seems to me that if it works it could work very well, your vpn, or isp, or firewall could fail and it would switch to backup automatically. And you could most-likely modify the script that monitors the vpn tunnel to control how fast you want it to switch, you could probably even add something that monitors the reply times and could failover if they get too high.

    Let me know your ideas!
    Thanks



  • IMO, using CARP is making it more complex than it has to be, and limits you if you are using CARP for failover. I think you would just need a mechanism to detect the tunnel is down, then switch the active VPN tunnel and restart racoon. Perhaps a check to see if the remote WAN2 was reachable via the local WAN2 before switching.



  • I agree, unless you are planning on running carp anyway.  Plus the whole failover could be much faster since it wouldn't have to start a new tunnel or restart racoon.



  • @dotdash:

    The closest I've come is creating a parallel tunnel on the second WAN and disabling it. When the primary of either site fails, you can manually disable the primary tunnel and enable the secondary. Not automatic or graceful, but it works.

    Is this something that could be scripted?



  • @Coldfirex:

    Is this something that could be scripted?

    I'm sure it is, but It's easier for me to manually switch my tunnels then to take the time to try to put a script together and test it.


Log in to reply