OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: reep on October 18, 2015, 04:48:47 pm

Title: VPN ipsec trunk
Post by: reep on October 18, 2015, 04:48:47 pm
A feature I miss badly from my Draytek 3300s is VPN trunking over ipsec which gives automatic failover across my WAN links.

Is this possible in Opnsense ?

B. Rgds
John
Title: Re: VPN ipsec trunk
Post by: lucifercipher on October 20, 2015, 10:51:13 am
Anything is almost possible. Its just that things work differently and instead of one click / step, you end up setting up 2 or 3 things for that.
Title: Re: VPN ipsec trunk
Post by: franco on October 23, 2015, 08:38:14 am
Hi John,

Isn't this a premium feature by some overly expensive companies, e.g. https://www.viprinet.com/ ?

Do you know of any open source that does this? I don't think so, but I can be wrong.


Cheers,
Franco
Title: Re: VPN ipsec trunk
Post by: reep on November 06, 2015, 09:46:06 pm
Hi Franco,

I currently use it on my draytek 3300s. Its one cool feature and something I am finding hard to do without.

I believe it can be implemented in Linux.... either as failover or as a proper trunk - you use GRE over Ipsec. It is clearly possible. I'd be hsppy to work on it with you as there doesn't seem to be much else out there and it would be a bit if a killer feature for you !

I'll certainly have a read around if you are interested....

B. Rgds
John

Sent from my SM-G920F using Tapatalk

Title: Re: VPN ipsec trunk
Post by: franco on November 06, 2015, 09:48:09 pm
John, that would be totally awesome to get into OPNsense. Count me in. :)
Title: Re: VPN ipsec trunk
Post by: reep on November 08, 2015, 07:59:02 am
John, that would be totally awesome to get into OPNsense. Count me in. :)

Hehehe...

OK, after a quick search some reading for starters....

http://lartc.org/lartc.html#LARTC.TUNNEL.GRE
http://www.myitnotes.info/doku.php?id=en:jobs:vpn_gre_over_ipsec
https://forum.ivorde.com/linux-site-to-site-gre-over-ipsec-vpn-tunnels-using-racoon-kame-ipsec-tools-t19531.html

Plenty more on the subject out there. I think half of the job is done if you have IPSEC connections already set up and working.

Effectively you create your ipsec tunnels and then add them into the trunk. Here are some pics from my 3300- This is repeated at the other end in reverse.

http://picpaste.com/IpsecPolicy-EJtbITCe.png
http://picpaste.com/IpsecTrunkGroup-6jrZjmaM.png
http://picpaste.com/IpsecTrunkSetup-lAeSWHOQ.png

You can weight the routes to bond them, or run Master/Slave type arrangement.

As you mention, it does to tend to be something found on higher end stuff. From what I can see none of the other distros do it out of the box easily. I think Zeroshell does,or did, but not with IPsec. Endian doesn't. Possibly Sophos does. So makes it a nice unique feature for you :-)

I guess we should open an issue on the github ?

B. Rgds
John
Title: Re: VPN ipsec trunk
Post by: reep on November 09, 2015, 12:21:11 am
I missed some more settings :

http://picpaste.com/IpsecTrunkSettings-ouV1bBgC.png

On the Draytek 3300 you basically do the following assuming I have two WAN IPs at each end - A & B at one end and C & D the other :

Create IPSEC <Trunk One>

DPD Delay 2secs
DPD Timeout 4 secs

<Local GRE IP> <Local WAN IP A> <!ipsec tunnel!> <Remote WAN IP C> <Remote GRE IP>


Create IPSEC <Trunk Two>

<Local GRE IP> <Local WAN IP B> <!ipsec tunnel!> <Remote WAN IP D> <Remote GRE IP>

DPD Delay 2secs
DPD Timeout 4 secs



The GRE IPs are an imaginary net that each end of the trunk is joined by

Create Group Route - the networks you actually want to join :

                         <Trunk One>
<Local Subnet>                        <Remote Subnet>
                         <Trunk Two>

You could add multiple trunks in

e.g.

A - C
B - D
A - D
B - C

On the Draytek in the Groups section you can then either run them as load balanced or as backup/failover

I have been trying to get my head round how you write the routes - never my strong point !

I think this page holds the key, but you need to effectively create the IPSEC connection between the WAN IPs first :

http://www.lartc.org/lartc.html#AEN337


Bearing in mind you have the IPSEC stuff up and running I don't think it would be too hard to implement this. Just needs some head scratching !

Hope that makes sense.

B. Rgds
John
Title: Re: VPN ipsec trunk
Post by: reep on November 09, 2015, 03:04:18 pm
OK, a bit more research - I couldn’t figure if the Draytek did IPSEC over GRE or GRE over IPSEC.

Reading these it is clear that it does GRE over IPSEC

http://www.draytek.com/index.php?option=com_k2&view=itemlist&task=category&id=128&Itemid=293&lang=en

This PDF has a nice diagram to show it

http://www.draytek.com/index.php?option=com_k2&view=item&id=2046&Itemid=293&lang=en

I think the link above to myitnotes.info is worth a look - if you get one tunnel up it would be easy enough to add more I guess and they show the basics of how to do that. Trying to think how to test this as IPSEC is fussy with IPs and I have a very limited number which are all in production.

B. Rgds
John
Title: Re: VPN ipsec trunk
Post by: reep on November 09, 2015, 08:30:31 pm
Just reinstalled tonight to play (still can't get a route out but that's another story) and can see you have a GRE tunnel setup so guess you have all the bits there to do it... just a case of bolting it together.

Will play more tomorrow, if I can get the damn thing to connect !!!

B. Rgds
John

Sent from my SM-G850F using Tapatalk