Bug #6370
open
IPSEC bound to WAN gateway group and Dynamic DNS doesn't to fail back tunnel to WAN on DDNS update
Added by Steven Perreau over 8 years ago.
Updated about 3 years ago.
Description
I first found this happening on 2.3, but waited until post upgrade on 2.3.1 and tested again extensively.
[[https://forum.pfsense.org/index.php?topic=112022.0]]
The tunnel only rebuilds back from WAN2 to WAN at reauth time.
Each firewall P1 "My identifier" set as "Dynamic DNS" and with the correct FQDN of that local firewall's FQDN.
I too have this issue in 2.3.2. Internet fails back to primary interface but IPsec does not always fail back to primary interface. Dynamic dns will get stuck on failover interface. I wish the checkbox to reload ipsec on failover would be left there for cases when this breaks in different versions.
Tested with 2.3.4 - IPsec still does not fail back to primary until reauth.
A checkbox that forced IPsec to rebuild on Dynamic DNS changing when the IPSec is bound to the same gateway group as Dynamic DNS would be useful.
This is a real problem when backup WAN is a high cost or low capacity link such as LTE/3G mobile. The objective is to rely on the link only as long as necessary, and then resume using tier 1 link as soon as it is restored. With current behavior (2.4.5), when primary WAN is restored, new traffic will resume over the primary link but IPSec traffic remains on the backup link. Need a way to force IPSec to reconnect in this scenario.
More general feature request that would also solve this issue is at https://redmine.pfsense.org/issues/855
- Status changed from New to Confirmed
I see the same issue on 21.05
This may be fixed by #12315 -- please re-test on a current Plus 21.09 or CE 2.6.0 snapshot.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by Viktor Gurov