IPsec failover using gateway group



  • Has anybody actually been able to configure an IPsec multi-WAN failover using a gateway group? I am using pfSense 2.2.5 and have a gateway group with 2 gateways on different tiers configured for failover. In the IPsec configuration I provide the gateway group as an interface and a dynamic DNS record pointing to the currently active WAN as my identifier. What happens is that when the primary WAN (WAN1) goes down, the WAN failover mechanism kicks in and after a short period of time I can already see that my secondary WAN's (WAN2) IP appears as left in /var/etc/ipsec/ipsec.conf. However, when I tail the ipsec.log it still says that it's sending packets from WAN1's IP. Manually restarting the IPsec at that time doesn't fix the issue either.

    By the way, I have tested the above scenario on pfSence 2.3 and I think that there is a bug, because when WAN1 goes down, the /var/etc/ipsec/ipsec.conf is not changed at all in order to switch the left with the appropriate WAN2 IP. Can anybody else confirm that this is not working as expected in the latest version as compared to pfSense 2.2.x?



  • I guess that nobody else noticed this possible bug in pfSense 2.3?

    Even if I do make the IPsec failover work from pfSense's side, I won't be able to perform failover on the other side of the tunnel. That's why I am thinking of another way to perform this - have 2 different IPsec tunnel configurations for the different WANs, but keep only one of those enabled at a certain time. When one of the WANs goes down, I will manually disable the first tunnel and enable the other one. In order to do this, however, I would have to be able to enable/disable IPsec tunnels from the command line. Is there an existing CLI way to do this?



  • Even in the best case scenario, you still need to rely on some DDNS service and triggers to restart the IPsec daemon, to make this work. It is more of a clever hack than real networking stuff.

    The best way to configure failover with IPsec is to set up GRE tunnels within IPsec (which itself is going to be configured in transport mode), so that you have one active tunnel between each IP, always active. With this setup, the routing is not handled anymore by the SAs but by regular routing table entries.

    Then you can use OSPF (or some other routing protocol) to handle the routing when something goes down.



  • @georgeman:

    Even in the best case scenario, you still need to rely on some DDNS service and triggers to restart the IPsec daemon, to make this work. It is more of a clever hack than real networking stuff.

    The best way to configure failover with IPsec is to set up GRE tunnels within IPsec (which itself is going to be configured in transport mode), so that you have one active tunnel between each IP, always active. With this setup, the routing is not handled anymore by the SAs but by regular routing table entries.

    Then you can use OSPF (or some other routing protocol) to handle the routing when something goes down.

    But GRE is unencrypted… isn't it?



  • @aventrax:

    But GRE is unencrypted… isn't it?

    Yes, that's why you wrap the GRE tunnel within IPsec, so the whole tunnel get encrypted


Log in to reply