Bug #14626
closed
Multi-WAN IPsec does not fail over when preferred WAN loses link
100%
Description
Hi
I have a site to site to vpn over ipsec between HO and a branch office. Now i have got added one more WAN connection to the branch side pfsense. Dyndns with gateway group is configured and everything works as expected. Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.
On the HO pfsense in ipsec phase-1, remote gateway is configured as the branche's dyndns hostname.
However a failover never happens and IPsec will not automatically connects to the newly updated dyndns hostname IP. If the branch side pfsense is rebooted, connection will be established.
What configuration is missed which will enable ipsec to drop the tunnel established to the failed IP and to reestablish a new tunnel with the changed/updated dyndns hostname IP automatically.
Thanks
Thomas
Files
| HO.JPG (68.2 KB) HO.JPG | |||
| Branch.JPG (66.6 KB) Branch.JPG | |||
| Branch IPSec.JPG (36.6 KB) Branch IPSec.JPG | Stays in connecting mode, the WAN IP never changes to the failover WAN IP. | ||
| IPSEC Log.txt (32.8 KB) IPSEC Log.txt | IPSec Log file |
Related issues
Updated by Thomas Simon 9 months ago
- File Branch IPSec.JPG Branch IPSec.JPG added
Thomas Simon wrote:
Hi
I have a site to site to vpn over ipsec between HO and a branch office. Now i have got added one more WAN connection to the branch side pfsense. Dyndns with gateway group is configured and everything works as expected. Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.
On the HO pfsense in ipsec phase-1, remote gateway is configured as the branche's dyndns hostname.
However a failover never happens and IPsec will not automatically connects to the newly updated dyndns hostname IP. If the branch side pfsense is rebooted, connection will be established.
What configuration is missed which will enable ipsec to drop the tunnel established to the failed IP and to reestablish a new tunnel with the changed/updated dyndns hostname IP automatically.
Thanks
Thomas
The issue here seems to be, 'Local Host WAN IP' is not changing from the failed WAN IP to the failover WAN IP automatically.
the link https://redmine.pfsense.org/issues/13076 talks about the same issue and says an edit to rc.ipsec file fixes the issue.
But didn't get how to make that edit.
Updated by Kris Phillips 9 months ago
Thomas Simon wrote in #note-1:
Thomas Simon wrote:
Hi
I have a site to site to vpn over ipsec between HO and a branch office. Now i have got added one more WAN connection to the branch side pfsense. Dyndns with gateway group is configured and everything works as expected. Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.
On the HO pfsense in ipsec phase-1, remote gateway is configured as the branche's dyndns hostname.
However a failover never happens and IPsec will not automatically connects to the newly updated dyndns hostname IP. If the branch side pfsense is rebooted, connection will be established.
What configuration is missed which will enable ipsec to drop the tunnel established to the failed IP and to reestablish a new tunnel with the changed/updated dyndns hostname IP automatically.
Thanks
ThomasThe issue here seems to be, 'Local Host WAN IP' is not changing from the failed WAN IP to the failover WAN IP automatically.
the link https://redmine.pfsense.org/issues/13076 talks about the same issue and says an edit to rc.ipsec file fixes the issue.But didn't get how to make that edit.
Hello Thomas,
Are you seeing attempts to re-establish the IPSec tunnel in the logs? It looks like, based on your screenshots, that your firewall is double NAT'ed.
The redmine you linked should be resolved in 2.7, which you stated in the bug report you are running, so that shouldn't affect you.
Updated by Thomas Simon 9 months ago
- File IPSEC Log.txt IPSEC Log.txt added
Kris Phillips wrote in #note-2:
Thomas Simon wrote in #note-1:
Thomas Simon wrote:
Hi
I have a site to site to vpn over ipsec between HO and a branch office. Now i have got added one more WAN connection to the branch side pfsense. Dyndns with gateway group is configured and everything works as expected. Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.
On the HO pfsense in ipsec phase-1, remote gateway is configured as the branche's dyndns hostname.
However a failover never happens and IPsec will not automatically connects to the newly updated dyndns hostname IP. If the branch side pfsense is rebooted, connection will be established.
What configuration is missed which will enable ipsec to drop the tunnel established to the failed IP and to reestablish a new tunnel with the changed/updated dyndns hostname IP automatically.
Thanks
ThomasThe issue here seems to be, 'Local Host WAN IP' is not changing from the failed WAN IP to the failover WAN IP automatically.
the link https://redmine.pfsense.org/issues/13076 talks about the same issue and says an edit to rc.ipsec file fixes the issue.But didn't get how to make that edit.
Hello Thomas,
Are you seeing attempts to re-establish the IPSec tunnel in the logs? It looks like, based on your screenshots, that your firewall is double NAT'ed.
The redmine you linked should be resolved in 2.7, which you stated in the bug report you are running, so that shouldn't affect you.
Hi Kris. thanks for the quick response. Yes, attempting. However on the failed WAN IP itself. Log file attached. What I am doing here is disabling the primary WAN interface(192.168.2.100) to test the failover. Is it the right way to do it ?
Updated by Jim Pingle 9 months ago
Thomas Simon wrote in #note-3:
Hi Kris. thanks for the quick response. Yes, attempting. However on the failed WAN IP itself. Log file attached. What I am doing here is disabling the primary WAN interface(192.168.2.100) to test the failover. Is it the right way to do it ?
That wouldn't replicate a real-world failure. What you should do is somehow prevent it from communicating out that WAN. For example, by unplugging the cable from the Fiber/Cable/Telco going to the CPE on that WAN. Unplugging the WAN is still different than the majority of WAN failures but also worth trying.
Disabling the interface is a much, much different code path that will not be remotely close to anything that would normally happen, and isn't a good test.
Updated by Georgiy Tyutyunnik 7 months ago
- Related to Bug #14829: Multi-WAN Dynamic DNS does not fail over when preferred WAN loses link added
Updated by Jim Pingle 7 months ago
- File 1087.diff added
- Subject changed from IPSec with dual WAN to Multi-WAN IPsec does not fail over when preferred WAN loses link
- Status changed from New to Pull Request Review
- Assignee set to Jim Pingle
- Target version set to 2.8.0
- Plus Target Version set to 23.09
I have a fix for this coming, but it needs more testing.
Internal MR is https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/1087
Diff to test via system patches is attached.
Updated by Jim Pingle 7 months ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Updated by Jim Pingle 7 months ago
- Status changed from Feedback to Resolved
I've tested this quite a bit since making the changes and it does work, though it takes time since it requires waiting on DNS updates and so on.