Dual WAN + IPSec passthrough issues

  • Hi there,

    Got a weird one. I've got two VDSL connections, using PPPOE to connect, on two different ISP's.

    My wife was complaining about her Cisco VPN client not connecting anymore, whereas it was working the previous day. The only thing that changed was that I had rebooted pfsense. I tried changing outbound NAT to manual and removing static port NAT udp 500 entries which made no difference.

    ~~Long story short, I can reproduce this problem if I connect both PPPOE connections at the same time, then she can't connect. If I delay connecting PPPOE of the second connection by ~10+ secs then she can connect fine.

    I'm not sure why when both PPPOE's connect at the same time she can't connect but if I delay either or by ~10+ secs it works fine, looking at the outbound NAT tab it looks identical either way~~

    Running 2.2-RC (amd64)
    built on Sun Jan 04 18:53:21 CST 2015

    Anyone know why this is the case?

  • This is a routing issue to be fixed.
    When your first ppoe is connected first your routing is ok i guess.

    Logs on your ipsec should tell what is wrong though.

  • It turns out that the time I was giving to initiate the second connection caused load balancing not to work.

    So effectively ipsec passthrough isn't working at all when load balancing the two connections.

    I'll check the logs but when you try connect through the client it just attempts to connect indefinitely, doesn't seem to throw up an error. When you take down a connection it connects immediately.

    I've tried setting a static route for the endpoint to go out on WAN1 but didn't seem to work either

  • Bascially you have to choose your default gw as your primary connection, that is all.
    Due to their dynamic types whoever connects first from those connections wins the default route.

    Guestimate on this at 90% :)

  • Yeah, understand

    Everything else works apart from ipsec passthrough

  • Only way I could get this working was to configure a new firewall rule to send UDP 500 out a single WAN interface

  • Are you load balancing? If so you were probably sending UDP 500 out one WAN and the ESP out another, which will break things, you can't load balance IPsec like that. Though I'd expect a Cisco IPsec client to be using NAT-T, in which case it's only a single UDP 4500 connection.

  • Yeah load balancing, I figured something regarding load balancing was breaking it but wasn't really sure how to fix it till I realised I could just create a firewall rule to pass out a single wan interface

Log in to reply