• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Testing IPSec failover

Scheduled Pinned Locked Moved IPsec
4 Posts 2 Posters 1.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    nickabbey
    last edited by May 27, 2014, 4:38 PM

    Hello,

    We are using pfSense to maintain a persistent IPSec VPN Tunnel to our VPC at AWS. We recently received a communication from Amazon indicating that they will be taking the primary endpoint for that VPN Tunnel offline for scheduled maintenance tomorrow. I've worked with IPSec before, but never on pfSense, and never with Amazon. I just want to test the failover capability tonight while I have no users in the office, so that I can have some confidence that the maintenance window tomorrow will not affect my users.

    We're running pfSense 2.1.2. I thought it would be as simple as identifying and disabling the interface on which the primary tunnel is configured, then monitoring for failover.  However, I'm unable to identify the correct interface. I'm wondering if this might not be easier from the other side?  IE) logging in to the VPC router at amazon and disabling the interface that servers the primary VPN tunnel endpoint.

    any advise is welcome!

    Thanks in advance,

    Nick

    1 Reply Last reply Reply Quote 0
    • D
      dotdash
      last edited by May 27, 2014, 7:11 PM

      You should be able to go to VPN, IPSec, edit the primary connection and check the box to disable the phase1. If the backup connection is disabled, enable it. The last time I played with AWS, which was a while ago, you could have both connections active and setup BGP, but it would not failover automatically due to the tunnel trumping the routing table.

      1 Reply Last reply Reply Quote 0
      • N
        nickabbey
        last edited by May 27, 2014, 8:18 PM

        Thanks so much for the feedback, I took a look at the page you referenced and it looks like this is the best way to test it out.
        I'll report my results later this evening after I've completed my test. 
        We're not currently using BGP, and we only keep one tunnel up at a time, though I have found some good resources to make that happen.

        Based on how this test shakes out tonight, I may be best served to just use the backup tunnel through end of day tomorrow, and manually bring the primary tunnel back up at close of business tomorrow.

        1 Reply Last reply Reply Quote 0
        • N
          nickabbey
          last edited by May 27, 2014, 10:47 PM

          @dotdash:

          You should be able to go to VPN, IPSec, edit the primary connection and check the box to disable the phase1. If the backup connection is disabled, enable it. The last time I played with AWS, which was a while ago, you could have both connections active and setup BGP, but it would not failover automatically due to the tunnel trumping the routing table.

          This worked perfectly, and the fialover worked flawlessly, to boot!  Thanks for the assist and the peace of mind it has brought!

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received