New Content #11862
closed
Document High Availability IPSec
0%
Description
High Availability is a great feature, but lacks documentation/examples in a couple of areas. I tried to set up a VTI site-to-site config, and while it did sync the config to the backup, it seemed to be only partially configured. For example, I had to assign the tunnel interface on the backup, as that didn't sync. Do I also need to set up the routes? (Seems not).
In the end, it still didn't fail-over properly when the master was shut down, leaving me to wonder, what else was missing?
The docs are silent on HA and IPSec, so it seems we need docs on (ideally) all aspects of HA and IPSec: tunnel, VTI and mobile, with examples if possible.
It's possible I'm running into bugs in 2.5.1, but it's hard to evaluate that without any idea of what to expect - docs would tell me that. I'll use the forum to figure out my issues in the interim.
Updated by Jim Pingle over 2 years ago
- Status changed from New to Closed
- Assignee set to Jim Pingle
I suspect mostly you were hitting bugs in IPsec that are fixed in 2.6.0/21.09. HA IPsec was covered already, at https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure.html#carp-environments . Interface assignments never sync. I added a note about that, but that has always been the case and routed IPsec is no different than any other interface in that regard.
I expanded on what was already in the docs for HA IPsec and moved it into the HA chapter, leaving behind an xref in the IPsec section.
The changes won't be made public until Plus 21.09 is released, but that will be very soon.
https://gitlab.netgate.com/docs/pfSense-docs/-/commit/3ee686dac26114fb2347b64c46b2898d20b55e0a