Multi-wan IPSEC with failover issue



  • Hi all,

    I want to set up a Multi-wan IPSEC failover between two sites (A and B) of my company, for the moment I'm in test phase with GNS3.
    On site A, I have a PFSENSE 2.1.3 cluster with two WAN link in different subnets (optic fiber WAN1 and radio WAN2)
    On site B, I have a PFSENSE 2.1.3 cluster with a single WAN.

    I have configure a Failover Gateway group on site A PFSENSE cluster and use it as site A VPN IPSEC endpoint.
    On site B PFSENSE cluster I have created a test DNS entry endpointA.domain.local (in "DNS Forwarder" section) pointing to site A WAN1 virtual IP and I use in the VPN IPSEC settings for remote Gateway.

    All is working perfectly fine in this configuration.

    For testing purpose, I have switched off WAN1 Gateway on site A, and the failover Gateway has worked well for the VPN IPSEC tunnel, indeed after this action on site A PFSENSE cluster the local Gateway for the VPN IPSEC tunnel is WAN2 virtual IP.

    To simulate dynamic DNS update, on site B PFSENSE cluster I have modify endpointA.domain.local DNS entry to point to site A WAN2 virtual IP but the problem is that on site B PFSENSE cluster the VPN IPSEC tunnel does not reload to use new endpointA.domain.local IP address and so the tunnel never gone up.

    Is there any option to force tunnel reload in order to use new endpointA.domain.local IP address ?

    Maybe another suggestion for dynamic DNS facility on PFSENSE  would be the possibility to update a PFSENSE local DNS entry directlty from another PFSENSE without passing by external dynamic DNS service (i.e : freeDNS …). In my case being able to update endpointA.domain.local DNS entry on site B from site A PFSENSE cluster triggered when WAN1 Gateway fails.

    Thanks in advance.



  • Hi,
    did you find any suitable solution to your issue?

    I think I'm in the same situation (please see my post "Failover not working" in the IPSEC section), but since Ssptember I have not a single comment.  :(


Log in to reply