IPSec L2L Failover between two pfSense devices

ipsecpfsensesite-to-site-vpn

Is it possible to achieve IPSec L2L failover (ie, from one WAN interface to another) between two pfSense devices using Gateway Groups, or really anything other than defining multiple IPSec connections on both ends and disabling/enabling them manually as needed?

Best Answer

2.1 can do a gateway group on IPsec. Earlier versions require manual intervention for tunnel mode IPsec. Transport mode + a tunnel + a routing protocol, or more easily OpenVPN+a routing protocol, can accommodate that in all 2.x versions.

Related Solutions

Cisco – pfSense to ASA L2L VPN – infrequent, short-lasting, but consistent disconnections

I had a problem that exhibited behavior almost identical to yours. I was trying to run off-site backups with Veeam over the VPN. The job would run fine for somewhere between 2-6 hours usually, but at some point it would fail. Veeam support reviewed the logs and indicated it was related to a poor quality network connection. I looked at the Cisco ASA firewall and it showed errors:

show int eth 0/0 | inc error

The ASA outside interface was configured to auto negotiate speed and duplex, and was running at 100 Mbit half-duplex. I manually set the interface to 100 Mbit full-duplex, and have not had a problem with the off-site backup job since.

Here are the settings I'm using on pfSense 2.0.1. Note that a number of these were not default settings, and I had to verify that the Cisco ASA settings matched (especially lifetimes).

Phase 1:

Authentication method: Mutual PSK
Negotiation mode: aggressive
My identifier: KeyID tag, DefaultL2LGroup
Peer identifier: Peer IP address
Policy Generation: Unique
Proposal Checking: Obey
Encryption algorithm: 3DES
Hash algorithm: MD5
DH key group: 2
Lifetime: 86400
NAT Traversal: Enable
Dead Peer Detection: disabled

Phase 2:

Mode: Tunnel
Protocol: ESP
Encryption: 3DES
Hash: MD5
PFS key group: off
Lifetime: 28800

PFSense with multi WAN failover

Assuming that the WAN1 and WAN2 interfaces of both machines have public IP addresses corresponding to the ISP, you will need to ensure that you also have a VIP on the WAN side for both ISP networks configured in CARP, as setting gateway groups does not appear to also create a VIP.

e.g.

For ISP-1 you may have:

Master.WAN1 166.10.15.1
Backup.WAN1 166.10.15.2
CARP VIP    166.10.15.3

This ensures that the IP source address will not change when pfSense migrates the session over. You would then need the same type of config for ISP-2.

The problem is that whilst this will maintain the SSH (or any active TCP session) for a fail over of PFSense Master to PFSense Backup, it will not help if the active ISP-x fails as your IP address range for each ISP is going to be different preventing pfSense from maintaining the session.

Best Answer

Related Solutions

Cisco – pfSense to ASA L2L VPN – infrequent, short-lasting, but consistent disconnections

PFSense with multi WAN failover

Related Topic