Project

General

Profile

Actions

Feature #6384

closed

Allow IPSEC P1 to have 2 peer remote gateway IP addresses to allow VPN failover faster without requiring DDNS

Added by Steven Perreau over 8 years ago. Updated over 5 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
05/22/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

The problem
  • IPSEC tunnel failover with DDNS takes over 2.5 minutes.

Today, with DDNDS and WAN gateway groups, failover from WAN to WAN2 at site 1, or a failure of WAN at site 2 requiring a site 1 WAN to site 2 WAN2 tunnel rebuild takes from 2.5 minutes to 3 minutes to failover because pfsense takes a little while to decide the WAN has failed (good, fine, we don't want flip flopping WANs..), then IPSEC takes a while to start to use the WAN2, then, Dynamic DNS takes a while to decide to update the DDNS entry to WAN2 IP, then the remote site must also agree on the new DDNS IP. My testing shows this to always exceed 2 minutes.

The Solution
SonicWALL (and others) allow Phase 1 to have TWO peer remote gateway IP addresses and then the peer identifier used can be still a FQDN or KeyID tag.

  • This makes for a much faster tunnel failover than using DDNS.
  • This reduced the overall complexity (no DDNS).
Actions

Also available in: Atom PDF