Bug #14626
closed
Multi-WAN IPsec does not fail over when preferred WAN loses link
Added by Thomas Simon over 1 year ago.
Updated about 1 year ago.
Plus Target Version:
23.09
Description
Hi
I have a site to site to vpn over ipsec between HO and a branch office. Now i have got added one more WAN connection to the branch side pfsense. Dyndns with gateway group is configured and everything works as expected. Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.
On the HO pfsense in ipsec phase-1, remote gateway is configured as the branche's dyndns hostname.
However a failover never happens and IPsec will not automatically connects to the newly updated dyndns hostname IP. If the branch side pfsense is rebooted, connection will be established.
What configuration is missed which will enable ipsec to drop the tunnel established to the failed IP and to reestablish a new tunnel with the changed/updated dyndns hostname IP automatically.
Thanks
Thomas
Files
Thomas Simon wrote:
Hi
I have a site to site to vpn over ipsec between HO and a branch office. Now i have got added one more WAN connection to the branch side pfsense. Dyndns with gateway group is configured and everything works as expected. Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.
On the HO pfsense in ipsec phase-1, remote gateway is configured as the branche's dyndns hostname.
However a failover never happens and IPsec will not automatically connects to the newly updated dyndns hostname IP. If the branch side pfsense is rebooted, connection will be established.
What configuration is missed which will enable ipsec to drop the tunnel established to the failed IP and to reestablish a new tunnel with the changed/updated dyndns hostname IP automatically.
Thanks
Thomas
The issue here seems to be, 'Local Host WAN IP' is not changing from the failed WAN IP to the failover WAN IP automatically.
the link https://redmine.pfsense.org/issues/13076 talks about the same issue and says an edit to rc.ipsec file fixes the issue.
But didn't get how to make that edit.
Thomas Simon wrote in #note-1:
Thomas Simon wrote:
Hi
I have a site to site to vpn over ipsec between HO and a branch office. Now i have got added one more WAN connection to the branch side pfsense. Dyndns with gateway group is configured and everything works as expected. Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.
On the HO pfsense in ipsec phase-1, remote gateway is configured as the branche's dyndns hostname.
However a failover never happens and IPsec will not automatically connects to the newly updated dyndns hostname IP. If the branch side pfsense is rebooted, connection will be established.
What configuration is missed which will enable ipsec to drop the tunnel established to the failed IP and to reestablish a new tunnel with the changed/updated dyndns hostname IP automatically.
Thanks
Thomas
The issue here seems to be, 'Local Host WAN IP' is not changing from the failed WAN IP to the failover WAN IP automatically.
the link https://redmine.pfsense.org/issues/13076 talks about the same issue and says an edit to rc.ipsec file fixes the issue.
But didn't get how to make that edit.
Hello Thomas,
Are you seeing attempts to re-establish the IPSec tunnel in the logs? It looks like, based on your screenshots, that your firewall is double NAT'ed.
The redmine you linked should be resolved in 2.7, which you stated in the bug report you are running, so that shouldn't affect you.
Kris Phillips wrote in #note-2:
Thomas Simon wrote in #note-1:
Thomas Simon wrote:
Hi
I have a site to site to vpn over ipsec between HO and a branch office. Now i have got added one more WAN connection to the branch side pfsense. Dyndns with gateway group is configured and everything works as expected. Dyndns updates the failover gateway IP immediately with the help of a cron job which runs at every one minute.
On the HO pfsense in ipsec phase-1, remote gateway is configured as the branche's dyndns hostname.
However a failover never happens and IPsec will not automatically connects to the newly updated dyndns hostname IP. If the branch side pfsense is rebooted, connection will be established.
What configuration is missed which will enable ipsec to drop the tunnel established to the failed IP and to reestablish a new tunnel with the changed/updated dyndns hostname IP automatically.
Thanks
Thomas
The issue here seems to be, 'Local Host WAN IP' is not changing from the failed WAN IP to the failover WAN IP automatically.
the link https://redmine.pfsense.org/issues/13076 talks about the same issue and says an edit to rc.ipsec file fixes the issue.
But didn't get how to make that edit.
Hello Thomas,
Are you seeing attempts to re-establish the IPSec tunnel in the logs? It looks like, based on your screenshots, that your firewall is double NAT'ed.
The redmine you linked should be resolved in 2.7, which you stated in the bug report you are running, so that shouldn't affect you.
Hi Kris. thanks for the quick response. Yes, attempting. However on the failed WAN IP itself. Log file attached. What I am doing here is disabling the primary WAN interface(192.168.2.100) to test the failover. Is it the right way to do it ?
Thomas Simon wrote in #note-3:
Hi Kris. thanks for the quick response. Yes, attempting. However on the failed WAN IP itself. Log file attached. What I am doing here is disabling the primary WAN interface(192.168.2.100) to test the failover. Is it the right way to do it ?
That wouldn't replicate a real-world failure. What you should do is somehow prevent it from communicating out that WAN. For example, by unplugging the cable from the Fiber/Cable/Telco going to the CPE on that WAN. Unplugging the WAN is still different than the majority of WAN failures but also worth trying.
Disabling the interface is a much, much different code path that will not be remotely close to anything that would normally happen, and isn't a good test.
- Related to Bug #14829: Multi-WAN Dynamic DNS does not fail over when preferred WAN loses link added
- File 1087.diff added
- Subject changed from IPSec with dual WAN to Multi-WAN IPsec does not fail over when preferred WAN loses link
- Status changed from New to Pull Request Review
- Assignee set to Jim Pingle
- Target version set to 2.8.0
- Plus Target Version set to 23.09
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
- Status changed from Feedback to Resolved
I've tested this quite a bit since making the changes and it does work, though it takes time since it requires waiting on DNS updates and so on.
- Target version changed from 2.8.0 to 2.7.1
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
