Strongswan High Availlability IPSEC vpn $500



  • I am sure many others are looking for this as a solution.

    I have many locations that have multi-wan between their primary location and satellite locations.  Currently if the VPN goes down due to WAN1 going down all vpn traffic stops.  I have seen several solutions which either recommend open VPN but that is not an option for most clients that I have.

    Since 2.2 will be including strongswan I am hoping that this feature which is shown in the link can be incorporated into pfSense.  The article does mention reference to the Linux kernel so I am unsure whether or not the same functionality is available in FreeBSD currently.  If yes then this feature would be a huge benefit.

    https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability



  • This is already possible in 2.1.x releases, either binding IPsec to a gateway group, and/or using a FQDN as the remote, depending on your specific circumstances.



  • Yes I have read several postings of people trying to get this setup but so far it looks like there has been little success.  Also i would prefer a solution that does not rely on dyndns.



  • We've done a number of setups like this for support customers that work great.

    The HA functionality you linked isn't relevant to this type of circumstance, that's for active/active clustered machines.

    Dynamic DNS is likely to be a requirement with any solution along these lines that offers multi-WAN failover on both sides, as that's the only way you can tell endpoints where they need to be connecting. Strictly referring to IPsec tunnel mode, if you go with transport mode, tunnels and a routing protocol, that's not a requirement. Which options are workable will depend on what the remote endpoints are, since OpenVPN isn't an option, I presume they're third party IPsec devices.