OPNsense Forum
English Forums => Development and Code Review => Topic started by: jorgevisentini on July 17, 2017, 04:49:41 pm
-
Hello everyone.
I want very much to have the IPsec failover feature as well as multiple enterprise distributions have it.
I believe this is a very important and excencial feature that would cause the OPNsense stay above the other opensource market distros.
I do not know if the development staff is already thinking about implementing ...
I know that it is an advanced resource and very complicated to implement, but I am willing to participate in some project, since I really need this functionality ...
How can we start such a project? If there is anyone else interested, it would be better.
Thank you all!
-
Hi Jorge,
Most certainly this would be good to have. :)
I'll try to get a bit of feedback from our IPsec experts. Some use some form of failover already, but I remember you wanted to do state sync as well?
In the end it's all about minimum shippable improvements. We have to set a few goals and work on them one after the other to prevent a huge project that never gets finished.
Can you detail your ideas a bit to see where we can break it down into small gradual improvements?
Cheers,
Franco
-
Hi,
what exactly to you expect OPN to do for IPSEC HA?
I'm very experienced in Sophos and ASA, but they don't have predefined HA setups, especially when it comes to IKEv1.
Please have a look at: https://forum.opnsense.org/index.php?topic=5547.0
"ipsec: IKEv2 can handle multiple phase 1 with the same IP"
I'm using this feature with ASA in order to handle SAs based on the key-id field to separate connections. This would allow you to failover to X backup interfaces.
Perhaps this already fits you needs and just need some documentation
-
Hi.
Thank you for your attention!
I'm not talking about complete HA, this OPNsene already has via the CARP protocol.
What I am saying is this, although the idea is very simple, I believe that logic and development involve a lot of knowledge.
Let's say that both the head office and branch office have two links to the internet.
I would very much like to be able to create an IPsec failover that does the following:
If one of the links falls, IPsec or routing migrates to the other tunnel and vice versa, and for that we have some options.
For example:
1 - I have two IPsec tunnels, one in standbay in case the main tunel falls, the second assumes.
2 - I have two tunnels and the two become active, and what controls is the routing with metrics.
I think it's like a Wan Failover Group, but with IPsec.
-
1) This would require to have a standby host which has to be implemented by Ad I'd guess
2) Works only with if_ipsec and Quagga inside, I don't know if this is possible withing 17.7 or 18.1
ATM it only works with IKEv2 and redundant uplinks on the client side.
-
Mimugmail, I do not think I understand...
I believe I do not need another host, just two valid IPs for internet connection and yes, I would need to "know" the other guess.
I say this on the basis of having two OPNsenses, nor do I even think about doing this redundancy with another vendor.
This already exists with Sophos, Fortinet, Watchguard...
Ah and this configuration in Sohpos for example is create with IKEv1.
-
You did it with Sophos and Uplink Interfaces? Does this work stable? I tried it some time ago but wasn't working as expected.
-
Yes, it works perfectly.
There is only a minimal loss of packets in time that there is link loss, IPsec key exchange ... but on average it loses around 10~15 packets until the link goes up and everything is functional. It works automatically.
I tested both with Sophos UTM and XG, and Fortinet.
-
Ok, but this means we have to use if_ipsec which is currently not supported.
-
Please have a look at: https://forum.opnsense.org/index.php?topic=5547.0
"ipsec: IKEv2 can handle multiple phase 1 with the same IP"
I'm using this feature with ASA in order to handle SAs based on the key-id field to separate connections. This would allow you to failover to X backup interfaces.
Perhaps this already fits you needs and just need some documentation
What would a rough sketch of the documentation look like? Whether or not this fits the OP's needs, it should fit mine, I think.
-
Ok, but this means we have to use if_ipsec which is currently not supported.
I know.
But this functionality is not specific to StrongSwan, it does not have failover, we can read in its documentation.
This is a functionality implemented in the specific part of each product. Each one implements its logic and works together with Strongswan, Libreswan...
-
Please have a look at: https://forum.opnsense.org/index.php?topic=5547.0
"ipsec: IKEv2 can handle multiple phase 1 with the same IP"
I'm using this feature with ASA in order to handle SAs based on the key-id field to separate connections. This would allow you to failover to X backup interfaces.
Perhaps this already fits you needs and just need some documentation
What would a rough sketch of the documentation look like? Whether or not this fits the OP's needs, it should fit mine, I think.
I did not read the documentation but a think that this feature is for create two or more tunnels with one IP only. I just think...
-
Ok, but this means we have to use if_ipsec which is currently not supported.
I know.
But this functionality is not specific to StrongSwan, it does not have failover, we can read in its documentation.
This is a functionality implemented in the specific part of each product. Each one implements its logic and works together with Strongswan, Libreswan...
For each client with dynamic IP you set an own P1 with 0.0.0.0 as remote IP. Then you can separate with key-id, DN , whatever client supports.
-
Ok, but this means we have to use if_ipsec which is currently not supported.
I know.
But this functionality is not specific to StrongSwan, it does not have failover, we can read in its documentation.
This is a functionality implemented in the specific part of each product. Each one implements its logic and works together with Strongswan, Libreswan...
Libreswan has it's own interface support (software), and FreeBSD introduced with 11.0 if_ipsec (OS). Don't know how exactly Sophos does it, they also use strongswan, but the old version 4 (no IKEv2!!!). Also ASA e.g. introduced route based VPN very late.
-
I see this one timely more realistic (OPN to OPN):
https://github.com/opnsense/core/issues/952
-
Ok, but this means we have to use if_ipsec which is currently not supported.
I know.
But this functionality is not specific to StrongSwan, it does not have failover, we can read in its documentation.
This is a functionality implemented in the specific part of each product. Each one implements its logic and works together with Strongswan, Libreswan...
Libreswan has it's own interface support (software), and FreeBSD introduced with 11.0 if_ipsec (OS). Don't know how exactly Sophos does it, they also use strongswan, but the old version 4 (no IKEv2!!!). Also ASA e.g. introduced route based VPN very late.
So... the only distribution I got to see the failover script was Sophos, in this case both UTM and XG and both are big scripts...
-
I see this one timely more realistic (OPN to OPN):
https://github.com/opnsense/core/issues/952
I've seen this post. Today I even use OpenVPN with redundancy for client and it works perfectly, although I have to add the second IP manually in the configuration file, but it would not apply in that case.
-
Hi.
First time post here, but, I'm a very experience network engineer with a particular bent on network security and firewalls. I come from a background of originally doing packet filters in routers, to a long time SonicWALL partner, then pfsense and now seriously looking at OPNsense.
What I desperately miss from SonicWALL days was their excellent IPsec failover.
I would change pfsense to OPNsense in a heartbeat if we can get a decent IPsec multi wan failover solution that works. This what all the expensive brand name firewalls do well.
Consider this:
2 sites, siteMAIN and siteBRANCH
Both sites have dual WAN and clustered firewalls
With SonicWALL, it's possible to have the remote static IP address both loaded in phase1 for siteMAIN to siteBRANCH (WAN1 and WAN2) and vice versa. On WAN1 failing at either siteMAIN or siteBRANCH, IPsec rapidly heals and the tunnel continues working, I'm talking about losing only a few pings.
Also, just as critical, the state is NOT lost. I suspect SonicWALL (and others) cleverly do not drop nor reset state on a multi WAN IPsec tunnel.
Perhaps the mechanism is based around knowing the phase2 networks, state is not lost on phase2 local-remote networks.
I notice that using the current system of dynamic DNS to get around IPsec fail-over has some major shortcomings:
1. DDNS takes quite a while to detect and respond to fail-over, upwards of a minute
2. State is lost during the fail-over which wrecks telnet and SSH sessions and that causes network chaos
FreeBSD with pfsync, CARP and the multi WAN is great. We just need a robust IPsec multi WAN fail-over.
Back to my example, and a bit more detail:
- siteMAIN, WANm1 and WANm2
- siteBRANCH, WANb1 and WANb2
WANm1 fails at siteMAIN:
- Multi WAN at siteMAIN handles the transition from WANm1 to WANm2 no problem for the firewall itself
- The issue is siteBRANCH WANb1 today doesn't accept traffic from WANm2
- State is lost
-
@franco:
- Second dropdown list for "Interface backup" (in P1)
- Second dropdown list for "Remote backup gateway" (in P1)
- Adding a P1 remote X automatically creates a "far gateway" which is monitored via apinger
- IF locale gateway of Interface (WAN primary) is down, change templating to IP of backup interface "left"
- IF far gateway is down leave left as is but change templating for "right"
I could imagine this is not too hard to setup .. but not sure if apinger works this way
-
We can keep this in a ticket, but the usage of "apinger" makes me doubt the long-term stability of this solution. Maybe we can do some other kind of monitoring and / or a manual ping command helper?
Apinger used to do exactly this: probe remote servers for availability, but in the course of pfSense was turned into a gateway monitoring solution that shall stop working because it requests a full bind to the interface IP *and* a monitoring route, both of which do not scale well:
We'd ideally want this to be a solution that works on top of multi-wan, not being stuck to its limitations of fixed-link behaviour.
There is, however, a gateway "ping" script for IPsec already which could be used to pull this off by pinging inside the tunnel and using this information?
https://github.com/opnsense/core/blob/master/src/sbin/ping_hosts.sh
Cheers,
Franco
-
@franco: I'll have a look, thanks :)
@jorge: Would you open an issue?
-
I'm so sorry, my english skills are bad :-[
@nzkiwi68
Your logic are perfect.
I have another idea... Have a siteMAIN with 2 tunnels (P1) with 1 diferent IP in each.
We can keep started the 2 tunnels and use metric of route. If route 1 not ping the remote internal network (P2) then try the route 2. Like this...
I try with DDNS but I did not get success because of the time it takes to change the IP. Even with paid DDNS.
@mimugmail
Sorry my english again, i dont understend "@jorge: Would you open an issue?"
Whre I open issue?
@franco
I dont know if I talk nonsense but I use "fping" to test my hosts. It works very well.