Project

General

Profile

Actions

Bug #14626

closed

Multi-WAN IPsec does not fail over when preferred WAN loses link

Added by Thomas Simon 9 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:

Description

Hi

I have a site to site to vpn over ipsec between HO and a branch office. Now i have got added one more WAN connection to the branch side pfsense. Dyndns with gateway group is configured and everything works as expected. Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.

On the HO pfsense in ipsec phase-1, remote gateway is configured as the branche's dyndns hostname.

However a failover never happens and IPsec will not automatically connects to the newly updated dyndns hostname IP. If the branch side pfsense is rebooted, connection will be established.

What configuration is missed which will enable ipsec to drop the tunnel established to the failed IP and to reestablish a new tunnel with the changed/updated dyndns hostname IP automatically.

Thanks
Thomas


Files

HO.JPG (68.2 KB) HO.JPG Thomas Simon, 07/29/2023 03:18 PM
Branch.JPG (66.6 KB) Branch.JPG Thomas Simon, 07/29/2023 03:19 PM
Branch IPSec.JPG (36.6 KB) Branch IPSec.JPG Stays in connecting mode, the WAN IP never changes to the failover WAN IP. Thomas Simon, 07/29/2023 03:22 PM
IPSEC Log.txt (32.8 KB) IPSEC Log.txt IPSec Log file Thomas Simon, 07/30/2023 07:52 PM

Related issues

Related to Bug #14829: Multi-WAN Dynamic DNS does not fail over when preferred WAN loses linkResolvedJim Pingle

Actions
Actions #1

Updated by Thomas Simon 9 months ago

Thomas Simon wrote:

Hi

I have a site to site to vpn over ipsec between HO and a branch office. Now i have got added one more WAN connection to the branch side pfsense. Dyndns with gateway group is configured and everything works as expected. Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.

On the HO pfsense in ipsec phase-1, remote gateway is configured as the branche's dyndns hostname.

However a failover never happens and IPsec will not automatically connects to the newly updated dyndns hostname IP. If the branch side pfsense is rebooted, connection will be established.

What configuration is missed which will enable ipsec to drop the tunnel established to the failed IP and to reestablish a new tunnel with the changed/updated dyndns hostname IP automatically.

Thanks
Thomas

The issue here seems to be, 'Local Host WAN IP' is not changing from the failed WAN IP to the failover WAN IP automatically.
the link https://redmine.pfsense.org/issues/13076 talks about the same issue and says an edit to rc.ipsec file fixes the issue.

But didn't get how to make that edit.

Actions #2

Updated by Kris Phillips 9 months ago

Thomas Simon wrote in #note-1:

Thomas Simon wrote:

Hi

I have a site to site to vpn over ipsec between HO and a branch office. Now i have got added one more WAN connection to the branch side pfsense. Dyndns with gateway group is configured and everything works as expected. Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.

On the HO pfsense in ipsec phase-1, remote gateway is configured as the branche's dyndns hostname.

However a failover never happens and IPsec will not automatically connects to the newly updated dyndns hostname IP. If the branch side pfsense is rebooted, connection will be established.

What configuration is missed which will enable ipsec to drop the tunnel established to the failed IP and to reestablish a new tunnel with the changed/updated dyndns hostname IP automatically.

Thanks
Thomas

The issue here seems to be, 'Local Host WAN IP' is not changing from the failed WAN IP to the failover WAN IP automatically.
the link https://redmine.pfsense.org/issues/13076 talks about the same issue and says an edit to rc.ipsec file fixes the issue.

But didn't get how to make that edit.

Hello Thomas,

Are you seeing attempts to re-establish the IPSec tunnel in the logs? It looks like, based on your screenshots, that your firewall is double NAT'ed.

The redmine you linked should be resolved in 2.7, which you stated in the bug report you are running, so that shouldn't affect you.

Actions #3

Updated by Thomas Simon 9 months ago

Kris Phillips wrote in #note-2:

Thomas Simon wrote in #note-1:

Thomas Simon wrote:

Hi

I have a site to site to vpn over ipsec between HO and a branch office. Now i have got added one more WAN connection to the branch side pfsense. Dyndns with gateway group is configured and everything works as expected. Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.

On the HO pfsense in ipsec phase-1, remote gateway is configured as the branche's dyndns hostname.

However a failover never happens and IPsec will not automatically connects to the newly updated dyndns hostname IP. If the branch side pfsense is rebooted, connection will be established.

What configuration is missed which will enable ipsec to drop the tunnel established to the failed IP and to reestablish a new tunnel with the changed/updated dyndns hostname IP automatically.

Thanks
Thomas

The issue here seems to be, 'Local Host WAN IP' is not changing from the failed WAN IP to the failover WAN IP automatically.
the link https://redmine.pfsense.org/issues/13076 talks about the same issue and says an edit to rc.ipsec file fixes the issue.

But didn't get how to make that edit.

Hello Thomas,

Are you seeing attempts to re-establish the IPSec tunnel in the logs? It looks like, based on your screenshots, that your firewall is double NAT'ed.

The redmine you linked should be resolved in 2.7, which you stated in the bug report you are running, so that shouldn't affect you.

Hi Kris. thanks for the quick response. Yes, attempting. However on the failed WAN IP itself. Log file attached. What I am doing here is disabling the primary WAN interface(192.168.2.100) to test the failover. Is it the right way to do it ?

Actions #4

Updated by Jim Pingle 9 months ago

Thomas Simon wrote in #note-3:

Hi Kris. thanks for the quick response. Yes, attempting. However on the failed WAN IP itself. Log file attached. What I am doing here is disabling the primary WAN interface(192.168.2.100) to test the failover. Is it the right way to do it ?

That wouldn't replicate a real-world failure. What you should do is somehow prevent it from communicating out that WAN. For example, by unplugging the cable from the Fiber/Cable/Telco going to the CPE on that WAN. Unplugging the WAN is still different than the majority of WAN failures but also worth trying.

Disabling the interface is a much, much different code path that will not be remotely close to anything that would normally happen, and isn't a good test.

Actions #5

Updated by Georgiy Tyutyunnik 7 months ago

  • Related to Bug #14829: Multi-WAN Dynamic DNS does not fail over when preferred WAN loses link added
Actions #6

Updated by Jim Pingle 7 months ago

  • File 1087.diff added
  • Subject changed from IPSec with dual WAN to Multi-WAN IPsec does not fail over when preferred WAN loses link
  • Status changed from New to Pull Request Review
  • Assignee set to Jim Pingle
  • Target version set to 2.8.0
  • Plus Target Version set to 23.09

I have a fix for this coming, but it needs more testing.

Internal MR is https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/1087

Diff to test via system patches is attached.

Actions #7

Updated by Jim Pingle 6 months ago

  • File deleted (1087.diff)
Actions #8

Updated by Jim Pingle 6 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #9

Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Resolved

I've tested this quite a bit since making the changes and it does work, though it takes time since it requires waiting on DNS updates and so on.

Actions #10

Updated by Jim Pingle 5 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions

Also available in: Atom PDF