Project

General

Profile

Bug #6370

IPSEC bound to WAN gateway group and Dynamic DNS doesn't to fail back tunnel to WAN on DDNS update

Added by Steven Perreau about 4 years ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
05/19/2016
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.3.1
Affected Architecture:

Description

I first found this happening on 2.3, but waited until post upgrade on 2.3.1 and tested again extensively.
[[https://forum.pfsense.org/index.php?topic=112022.0]]
The tunnel only rebuilds back from WAN2 to WAN at reauth time.

Each firewall P1 "My identifier" set as "Dynamic DNS" and with the correct FQDN of that local firewall's FQDN.

History

#1 Updated by Josh H over 3 years ago

I too have this issue in 2.3.2. Internet fails back to primary interface but IPsec does not always fail back to primary interface. Dynamic dns will get stuck on failover interface. I wish the checkbox to reload ipsec on failover would be left there for cases when this breaks in different versions.

#2 Updated by Steven Perreau over 2 years ago

Tested with 2.3.4 - IPsec still does not fail back to primary until reauth.

A checkbox that forced IPsec to rebuild on Dynamic DNS changing when the IPSec is bound to the same gateway group as Dynamic DNS would be useful.

#3 Updated by Jim Pingle 12 months ago

See also: #8286

#4 Updated by Marc Hodgins about 1 month ago

This is a real problem when backup WAN is a high cost or low capacity link such as LTE/3G mobile. The objective is to rely on the link only as long as necessary, and then resume using tier 1 link as soon as it is restored. With current behavior (2.4.5), when primary WAN is restored, new traffic will resume over the primary link but IPSec traffic remains on the backup link. Need a way to force IPSec to reconnect in this scenario.

More general feature request that would also solve this issue is at https://redmine.pfsense.org/issues/855

Also available in: Atom PDF