Testing IPSec failover



  • Hello,

    We are using pfSense to maintain a persistent IPSec VPN Tunnel to our VPC at AWS. We recently received a communication from Amazon indicating that they will be taking the primary endpoint for that VPN Tunnel offline for scheduled maintenance tomorrow. I've worked with IPSec before, but never on pfSense, and never with Amazon. I just want to test the failover capability tonight while I have no users in the office, so that I can have some confidence that the maintenance window tomorrow will not affect my users.

    We're running pfSense 2.1.2. I thought it would be as simple as identifying and disabling the interface on which the primary tunnel is configured, then monitoring for failover.  However, I'm unable to identify the correct interface. I'm wondering if this might not be easier from the other side?  IE) logging in to the VPC router at amazon and disabling the interface that servers the primary VPN tunnel endpoint.

    any advise is welcome!

    Thanks in advance,

    Nick



  • You should be able to go to VPN, IPSec, edit the primary connection and check the box to disable the phase1. If the backup connection is disabled, enable it. The last time I played with AWS, which was a while ago, you could have both connections active and setup BGP, but it would not failover automatically due to the tunnel trumping the routing table.



  • Thanks so much for the feedback, I took a look at the page you referenced and it looks like this is the best way to test it out.
    I'll report my results later this evening after I've completed my test. 
    We're not currently using BGP, and we only keep one tunnel up at a time, though I have found some good resources to make that happen.

    Based on how this test shakes out tonight, I may be best served to just use the backup tunnel through end of day tomorrow, and manually bring the primary tunnel back up at close of business tomorrow.



  • @dotdash:

    You should be able to go to VPN, IPSec, edit the primary connection and check the box to disable the phase1. If the backup connection is disabled, enable it. The last time I played with AWS, which was a while ago, you could have both connections active and setup BGP, but it would not failover automatically due to the tunnel trumping the routing table.

    This worked perfectly, and the fialover worked flawlessly, to boot!  Thanks for the assist and the peace of mind it has brought!


Log in to reply