On 5/23/2013 11:38 AM, Vick Khera wrote: > > On Thu, May 23, 2013 at 11:17 AM, Peter Milazzo > <peter.mila...@somersetcapital.com > <mailto:peter.mila...@somersetcapital.com>> wrote: > > My questions are, do I need to setup a second IPsec tunnel for the > cable connection (which I believe you can't do) if it fails over > and what will the routing look like? Is there a better way to set > this up to accomplish the redundancies? > > > As far as I know, there is no automatic way to have a "backup" IPsec > connection. > > What I do is pre-configure both ends to use my secondary connection (in > my case a microwave link), but leave that disabled. > > Upon failure, I connect to both pfSense routers via their public > interfaces (I permit access to the admin from very specific IP addresses > I own, such as the secondary connection's WAN address) and disable the > primary tunnel, and enable the secondary tunnel. Sometimes I have to > turn off IPsec entirely and restart it, but usually not. > > I really wish there was a way to automate this, but I think detecting > where the fault is may be too difficult. Ie, is it the local WAN that > is down and needs to switch to the secondary WAN? Is it the remote WAN > down and needs to switch to that end's secondary WAN? Is it just IPsec > failing to negotiate at all? What if one end thinks the connection is > up, and the other does not? Now there is no agreement on where to > connect the endpoints.
You can do this on 2.1. Select a failover gateway group (one gateway per tier) as the "Interface" for IPsec. Setup a dyndns hostname that uses the same failover gateway group for its interface. Use that dyndns host as the peer address on the other end. If the first gateway goes down, the dyndns updates to the second WAN, and IPsec moves there. The far side router will see the dyndns update happen and then update to see the 'new' IP address of the IPsec tunnel. It may take a minute or two for it to happen, but it should work. Nailing up some OpenVPN tunnels and using OSPF is faster, but can still have some issues. The gateway group for the interface bit works for OpenVPN on 2.1 also, but would be faster than IPsec because the far side doesn't have to know/update the peer IP and you don't need the dyndns part. Jim _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
