Bug #9444
closed
Multi-WAN IPsec does not fail over with Gateway Group, needs restart
Added by Mouad Mimouni about 6 years ago.
Updated over 5 years ago.
Description
When a gateway group is configured on IPsec interface and pfSense loses connection on its primary WAN, the internet failover mechanism works but not on IPsec
Files
After some debug. I logged into the pfsense command line and found that the IPsec service does not restart when it changes its interface settings.
So an ipsec restart is enough to reset the tunnel with the right interface.
I think it's a big pfsense bug
There isn't enough information here to speculate as to the cause or fix. It isn't normal to need an IPsec restart in that case, but it may be due to the type of WAN interface used for IPsec here.
Try the attached patch, see if it helps.
- Subject changed from Multi-WAN IPsec to Multi-WAN IPsec does not fail over with Gateway Group, needs restart
- Description updated (diff)
Jim Pingle wrote:
There isn't enough information here to speculate as to the cause or fix. It isn't normal to need an IPsec restart in that case, but it may be due to the type of WAN interface used for IPsec here.
Try the attached patch, see if it helps.
Thank you for your reply
I have a WAN1 interface in public IP address and WAN2 address in private IP address.
I applied the changes, do I need to restart pfsense?
Jim Pingle wrote:
There isn't enough information here to speculate as to the cause or fix. It isn't normal to need an IPsec restart in that case, but it may be due to the type of WAN interface used for IPsec here.
Try the attached patch, see if it helps.
I tried your patch but it does not work, the VPN does not restart and still keeps its tunnel on the interface WAN1 while it is down
Mouad Mimouni wrote:
Jim Pingle wrote:
There isn't enough information here to speculate as to the cause or fix. It isn't normal to need an IPsec restart in that case, but it may be due to the type of WAN interface used for IPsec here.
Try the attached patch, see if it helps.
I tried your patch but it does not work, the VPN does not restart and still keeps its tunnel on the interface WAN1 while it is down
After several searches I managed to set up the VPN failover using a DynDNS, but the failover is done after about 3min. Is there no parameter to adjust this ?
3 minutes sounds about right for a DNS-based changeover. It takes time for DNS updates to propagate and be noticed. There are other techniques (VTI with dynamic routing), but discussing such things is out of scope here. If you need configuration assistance, post to the forum or pfSense subreddit.
- Status changed from New to Closed
Also available in: Atom
PDF
Updated by 
Updated by