OPNsense Forum

English Forums => General Discussion => Topic started by: maurotb on September 12, 2020, 06:57:26 PM

Title: IPSEC with two remote ip (primary/backup)
Post by: maurotb on September 12, 2020, 06:57:26 PM
I need to setup my opn sense to make a isec vpn.
The remote firewall have two ip,primary and backup.
In gui i can set only one ip, how i can make this setup?
Thanks
Title: Re: IPSEC with two remote ip (primary/backup)
Post by: mimugmail on September 12, 2020, 07:07:24 PM
Setup both and one disabled. No auto failover, this only works with OpenVPN
Title: Re: IPSEC with two remote ip (primary/backup)
Post by: maurotb on September 12, 2020, 09:12:11 PM
@mimugmail thanks
This is onother big limit in a real enterprise deploy...  :-\
Title: Re: IPSEC with two remote ip (primary/backup)
Post by: mimugmail on September 12, 2020, 09:43:24 PM
In an enterprise you would use route based IPsec and a dynamic routing protocol (which is supported in OPN)
Title: Re: IPSEC with two remote ip (primary/backup)
Post by: banym on September 13, 2020, 12:21:25 AM
OPNsense comes with a lot of enterprise ready solutions. As mimugmail wrote, a setup for high available VPN would look different.
But be aware that for such up-links you need in general pay more money.
Title: Re: IPSEC with two remote ip (primary/backup)
Post by: rainerle on September 13, 2020, 12:10:30 PM
Maybe I am wrong, but this is how I would try to do that:
- Set up two separate IPsec connections for each destination IP where phase 2 is then route-based. Phase 1 has to use dead peer detection (DPD)
- This should create two network interfaces
- Create two gateways - one for each IPsec remote address on phase 2
- Group the two gateways into a gateway group
- Use the gateway group in your routes and policies.

I am interested if this setup actually works. Please confirm if you have tried...

Thanks
Rainer
Title: Re: IPSEC with two remote ip (primary/backup)
Post by: maurotb on September 13, 2020, 06:39:21 PM
@mimugmail @banym
Maybe I haven't explained myself.
My opnsense is connected to two lines in bgp i have no problems with HA.
I need to connect to an external company that uses Cisco ASA,
wants to create an IPSEC vpn and has 2 internet lines in Active / Standby.
Obviously being an external company, i cannot impose an openvpn configuration (cisco asa does not support it)
and firewalls normally support dual peer active / standby.

@rainerle
in this way I believe that opnsense tries to activate both ike, while they should be active / standby, right?
Title: Re: IPSEC with two remote ip (primary/backup)
Post by: rainerle on September 13, 2020, 07:45:18 PM
Yes, it will try to activate both IKE. If one of their sides is really passive and you choose the gateways check on your side correct the gateway group with the respective routing should then route the traffic through the active line.

If they are the ones establishing the link and you are just the responder - that would make things easier for you. But then they have to make sure that the link is always up. 
Title: Re: IPSEC with two remote ip (primary/backup)
Post by: banym on September 13, 2020, 07:50:01 PM
Do you have both BGP uplinks connected to one OPNsense?
Title: Re: IPSEC with two remote ip (primary/backup)
Post by: mimugmail on September 13, 2020, 08:07:44 PM
Quote from: maurotb on September 13, 2020, 06:39:21 PM
@mimugmail @banym
Maybe I haven't explained myself.
My opnsense is connected to two lines in bgp i have no problems with HA.
I need to connect to an external company that uses Cisco ASA,
wants to create an IPSEC vpn and has 2 internet lines in Active / Standby.
Obviously being an external company, i cannot impose an openvpn configuration (cisco asa does not support it)
and firewalls normally support dual peer active / standby.

@rainerle
in this way I believe that opnsense tries to activate both ike, while they should be active / standby, right?

TBH ... the active / backup peer solution from Cisco is proprietary to itself, you can also do this with Palo Alto, but you can't do this when connecting Palo Alto to Cisco.

If you want to use open standards, use route based IPsec, ASA supported this, and then do a routing protocol inside, also supported by ASA (and IOS of course).
Title: Re: IPSEC with two remote ip (primary/backup)
Post by: Rhin0 on August 07, 2024, 02:33:54 PM
Pour configurer une connexion IPsec sur OPNsense avec deux adresses IP distantes (primaire et de secours), voici une solution proposée par la communauté :

Configurez deux connexions IPsec séparées pour chaque adresse IP de destination, avec une phase 2 basée sur les routes et la détection de pair mort (DPD) activée.
Créez deux passerelles, une pour chaque adresse IP distante.
Regroupez ces deux passerelles dans un groupe de passerelles.
Utilisez ce groupe de passerelles dans vos routes et politiques pour assurer le basculement automatique.
tu trouvera plus d'informations dans le lien suivant : https://cyberopti.com/guide-de-configuration-dun-switch-cisco/
Title: Re: IPSEC with two remote ip (primary/backup)
Post by: Rhin0 on August 07, 2024, 02:34:17 PM
ce message est a supprimer