Project

General

Profile

Bug #9444

Multi-WAN IPsec does not fail over with Gateway Group, needs restart

Added by Mouad Mimouni about 2 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
03/31/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:

Description

When a gateway group is configured on IPsec interface and pfSense loses connection on its primary WAN, the internet failover mechanism works but not on IPsec

ipsec-force-reload.diff (419 Bytes) ipsec-force-reload.diff Jim Pingle, 04/01/2019 10:51 AM

History

#1 Updated by Mouad Mimouni about 2 months ago

After some debug. I logged into the pfsense command line and found that the IPsec service does not restart when it changes its interface settings.
So an ipsec restart is enough to reset the tunnel with the right interface.
I think it's a big pfsense bug

#2 Updated by Jim Pingle about 2 months ago

There isn't enough information here to speculate as to the cause or fix. It isn't normal to need an IPsec restart in that case, but it may be due to the type of WAN interface used for IPsec here.

Try the attached patch, see if it helps.

#3 Updated by Jim Pingle about 2 months ago

  • Subject changed from Multi-WAN IPsec to Multi-WAN IPsec does not fail over with Gateway Group, needs restart
  • Description updated (diff)

#4 Updated by Mouad Mimouni about 2 months ago

Jim Pingle wrote:

There isn't enough information here to speculate as to the cause or fix. It isn't normal to need an IPsec restart in that case, but it may be due to the type of WAN interface used for IPsec here.

Try the attached patch, see if it helps.

Thank you for your reply
I have a WAN1 interface in public IP address and WAN2 address in private IP address.
I applied the changes, do I need to restart pfsense?

#5 Updated by Mouad Mimouni about 2 months ago

Jim Pingle wrote:

There isn't enough information here to speculate as to the cause or fix. It isn't normal to need an IPsec restart in that case, but it may be due to the type of WAN interface used for IPsec here.

Try the attached patch, see if it helps.

I tried your patch but it does not work, the VPN does not restart and still keeps its tunnel on the interface WAN1 while it is down

#6 Updated by Mouad Mimouni about 2 months ago

Mouad Mimouni wrote:

Jim Pingle wrote:

There isn't enough information here to speculate as to the cause or fix. It isn't normal to need an IPsec restart in that case, but it may be due to the type of WAN interface used for IPsec here.

Try the attached patch, see if it helps.

I tried your patch but it does not work, the VPN does not restart and still keeps its tunnel on the interface WAN1 while it is down

After several searches I managed to set up the VPN failover using a DynDNS, but the failover is done after about 3min. Is there no parameter to adjust this ?

#7 Updated by Jim Pingle about 2 months ago

3 minutes sounds about right for a DNS-based changeover. It takes time for DNS updates to propagate and be noticed. There are other techniques (VTI with dynamic routing), but discussing such things is out of scope here. If you need configuration assistance, post to the forum or pfSense subreddit.

Also available in: Atom PDF