Bug #9444
closed
Multi-WAN IPsec does not fail over with Gateway Group, needs restart
0%
Description
When a gateway group is configured on IPsec interface and pfSense loses connection on its primary WAN, the internet failover mechanism works but not on IPsec
Files
Updated by Mouad Mimouni about 5 years ago
After some debug. I logged into the pfsense command line and found that the IPsec service does not restart when it changes its interface settings.
So an ipsec restart is enough to reset the tunnel with the right interface.
I think it's a big pfsense bug
Updated by Jim Pingle about 5 years ago
- File ipsec-force-reload.diff ipsec-force-reload.diff added
- Priority changed from High to Normal
There isn't enough information here to speculate as to the cause or fix. It isn't normal to need an IPsec restart in that case, but it may be due to the type of WAN interface used for IPsec here.
Try the attached patch, see if it helps.
Updated by Jim Pingle about 5 years ago
- Subject changed from Multi-WAN IPsec to Multi-WAN IPsec does not fail over with Gateway Group, needs restart
- Description updated (diff)
Updated by Mouad Mimouni about 5 years ago
Jim Pingle wrote:
There isn't enough information here to speculate as to the cause or fix. It isn't normal to need an IPsec restart in that case, but it may be due to the type of WAN interface used for IPsec here.
Try the attached patch, see if it helps.
Thank you for your reply
I have a WAN1 interface in public IP address and WAN2 address in private IP address.
I applied the changes, do I need to restart pfsense?
Updated by Mouad Mimouni about 5 years ago
Jim Pingle wrote:
There isn't enough information here to speculate as to the cause or fix. It isn't normal to need an IPsec restart in that case, but it may be due to the type of WAN interface used for IPsec here.
Try the attached patch, see if it helps.
I tried your patch but it does not work, the VPN does not restart and still keeps its tunnel on the interface WAN1 while it is down
Updated by Mouad Mimouni about 5 years ago
Mouad Mimouni wrote:
Jim Pingle wrote:
There isn't enough information here to speculate as to the cause or fix. It isn't normal to need an IPsec restart in that case, but it may be due to the type of WAN interface used for IPsec here.
Try the attached patch, see if it helps.
I tried your patch but it does not work, the VPN does not restart and still keeps its tunnel on the interface WAN1 while it is down
After several searches I managed to set up the VPN failover using a DynDNS, but the failover is done after about 3min. Is there no parameter to adjust this ?
Updated by Jim Pingle about 5 years ago
3 minutes sounds about right for a DNS-based changeover. It takes time for DNS updates to propagate and be noticed. There are other techniques (VTI with dynamic routing), but discussing such things is out of scope here. If you need configuration assistance, post to the forum or pfSense subreddit.