Is it possible to implement IPSec with failover between one pfSense firewall and Amazon VPC (no BGP)

failoverpfsensevpc

I'm trying to create a VPN connexion between my firewall (a pfsense 2.0.1) and my Amazon Virtual Private Cloud (VPC). Amazon provides two peers endpoints to mount two IPsec tunnels on the same VPC.

At this moment, I'm able to mount an IPSec tunnel between my public IP and one of the Amazon endpoints.
The idea is to avoid a "disconnection" on Amazon side in case of the main tunnel fails and to switch on a backup tunnel (failover on our side is managed with CARP).

I'm trying to mount two IPsec tunnels on the same pfsense gateway (one public IP), just like the following graph:
a VPC

Is it possible to do so with pfSense?

a VPC

The full scenario with a cisco router example is available here: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_NoBGP.html

Thank you in advance for your help,

Best Answer

I dont think it possible : Pfsense doc : Both locations must be using non-overlapping LAN IP subnets. And no "ip virtual-reassembly" seen.

btw, pfsense 2.0.1 is outdated, and more recent support IPSec+L2TP

Related Solutions

Cisco – Is it possible to design an E1 redundancy with failover router and single E1 WAN link

I am no expert on these devices, but in looking at the D4E1/D8Eq modules that you reference, it looks like you could possibly take the incoming E1 circuit and break it into two fractional-E1 circuits.

Then you could connect one half of the E1 to each router, but you would be permanently halving your throughput on that particular E1. Perhaps you could send 20 channels to the primary router and only 3 to the backup router, instead of splitting the E1 in half exactly.

However, two caveats:

1) I would reach out to RAD and ask them if this is a supported/intended use for their device. It is very possible that the device simply muxes/demuxes the circuits, but provides no supervision in the sense that your CPE is currently doing. That is to say, an E1 from your carrier may not be able to establish connectivity when connected to this device.

2) In my opinion, you're fixing the wrong failure scenario. I've seen the carrier's E1/T1 go down FAR, FAR, more often than a failure of the CPE. (This seemed to be true both when I was the carrier and working in the enterprise sector.) I would look at carrier redundancy first, then look into duplicating your edge equipment.

Cisco – Load balancing with multiple ISP, two routers and firewall

You could configure a floating static route. This is a method in which two default routes are configured one with a higher AD than the other so that when one link goes down the route would be removed and the backup inserted to take over. For this to work the 2901's would have to be plugged directly into the firewall to detect the link is down and therefor remove the primary route from the routing table.

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route outsidebackup 0.0.0.0 0.0.0.0 192.168.2.1 2

P.S. In the question you say you use a 5505 and a 5515, which one is it? The only reason I ask is that the 5505 can have some limitations when it comes to named interfaces.

Best Answer

Related Solutions

Cisco – Is it possible to design an E1 redundancy with failover router and single E1 WAN link

Cisco – Load balancing with multiple ISP, two routers and firewall

Related Topic