OPNsense Forum
English Forums => General Discussion => Topic started by: kapara on May 16, 2018, 02:02:43 am
-
I am on the fence now with which solution to go with. With pfsense soon to lose support of development due to moving to their new product I am hoping that Opnsense will be able to fulfill a feature I am needing desperately.
Multiwan failover VPN
I am currently looking at Sophos as this product can provide the feature that I need. It is able to be installed as a VM and can handle VPN failover (This is the most important).
I have a firewall in a datacenter with a high availability connection but at the remote site (Office) I have 2 different ISP's providing connection and need the firewall in the remote office to be able to failover to the secondary connection in the event that the primary tunnel goes down.
Is this possible with Opnsense yet? I have seen several posts that discuss this but nothing concrete ats to if it is now a fully supported and production feature or not.
-
You can do this with OpenVPN
-
Are there any tutorials for this kind of setup?
-
You can set multiple remote IPs in client mode
-
Again any tutorials?
-
docs.opnsense.org
Test Site2Site and Client VPN, when you earned some experience set Interface on server to any and on client multiple remote.
-
Is this possible with IPsec as well? I guess in a way it must be, since Sophos seems to provide that, but I have (and want) to stay with our OPNsense boxes. Setup see below. Currently this setup is running without the HA-2 part and switch, with an IPsec VPN inbetween HA-1 and FW-3. I was just wondering if I could make the failover happen without putting another box in that serves as a pppoe endpoint for site 1.
site 1 # # site 2
|---[ HA-1 ]---pppoe1---| # #
{ LAN-1 }---| | |---[ switch ]---[ eth to opt ]---#---[ pppoe server ]---#---pppoe3---[ DSL modem ]---[ FW-3 ]---{ LAN-2 }
|---[ HA-2 ]---pppoe2---| # #
-
Sophos does this with many scripting .. so in theory it can work if you port all the scripting logic to here, but ATM noone has the time to start this.
With OpenVPN it's no problem .. so why invest so much time in there ..
-
Well, for me it's because all other VPNs we have are IPsec based and I'd rather stay with one solution. It's not all OPNsense yet either. And in this case it's much easier to just add a new ppoe endpoint instead of switching everything to OpenVPN, although I would have liked to skip having to use (and secure) another device.
In general, as far as I remember, someone might want that because IPsec has more features than OpenVPN, although it sure can be a real pain to work with sometimes.
-
Really hoping someone can get this to work. Is a bounty possible? I think we would see a much higher adoption rate if this was supported. I understand that OpenVPN can work but many companies I work with including financial ones absolutely do not support OpenVPN so if you are just trying to do tunnels between your own locations this is ok but if you want to establish tunnels with larger companies OpnSense is out of the question.
Every major firewall provider supports IPSEC failover.
Cisco
Fortigate
Sonicwall
Sophos
And the list continues
-
And all these cost license fees to feed their developers. You can always ask Deciso guys for paid development.
We (my employer) already sponsored 2 major features in the past.
-
That is what I am referring to but with pfSense it was a bounty and users were able to chip in together to fund it rather than a single entity. 1st I am not sure what the cost would be to do this and 2. I most likely would not be able to afford it. Probably would be cheaper to switch to Sophos than to fund it but if there was a large community interest the cost would be dispersed across the community that wanted the feature.
-
First step would be to search open feature request in GitHub, if there is one, join in, if not, create a new one
-
I just noticed that Pase 1 of IPSEC has an option I have not seen before.
Dynamic Gateway: Allow any remote gateway to connect.
I am interested in this for remote sites that have 2 static IP with dual wan that need to connect to my datacenter OPNsense firewall. Data center does not need dual.
Is there any documentation about implementing a VPN with this option?
Also this might be a moot point if I can use a distinguished name instead of IP Address and assign firewall.domain.com as the A record for both static IP addresses? If WAN 1 goes down and WAN 2 comes up and since it has the same A record all will e good? Would I need to assign interface to a gateway group?
-
For example can I use this example in the photo for the location with Dual static? The gateway group is set up as Comcast Primary and ATT Secondary as a failover group. I can create an A record for both gateway IP so that they are both firewall.domain.com
-
I don't think you'd want to have a single FQDN (firewall.domain.com) with multiple A records representing your WAN links. DNS servers randomise the order of the IPs returned in a lookup, so it becomes non-deterministic. Even if the order didn't matter, then the DNS client randomly picks an IP - usually the first one - and then tries that. There's no guarantees that that the client will try the second IP - that would depend on how the DNS client application is programmed. The test would be to try it in a lab and see what happens. It all sounds a bit messy though.
OPNsense 19.7 has release notes "IPsec Route based mode (VTI)". I'm looking into that feature to see what it provides as I used to use Virtual Tunnel Interfaces extensively with Cisco back when I was using those edge devices for VPN and found them to be quite handy - especially when used with GRE headers and running RIPv2 over the top.
-
I don't understand why this cannot be a simple solution.
One of my situations:
Site A is in a Datacenter with a single redundant internet connection with static IP assigned to OpnSense.
Site B has 2 wan connections with static IP addresses.
I have 2 IPsec VPN configurations in both firewalls so that I can use VPN failover but I must manually disable and enable the connections but it works.
Why cant this be automated? For example:
Site A: Pings both remote WAN interfaces. If remote WAN1 stops responding it disabled the VPN to remote WAN1 and enables VPN to remote WAN2.
Site B: If WAN1 goes down it disables P1 and P2 VPN to Site A using WAN1 and enables P1 and P2 using WAN2
If WAN1 comes back online Site B can send a command to SiteA notifying it that WAN1 is back online and to disable its VPN to the WAN2 and enable VPN to WAN1.
You could even have a solution that communicates via ssl between the 2 firewalls using the gateway group so that the information transfer does not have to happen over the VPN tunnel.
-
Did you read the last post? You can use routed IPSec with GRE tunnel and BGP inside ...
-
Is there any documentation on how to do this or is it a figure it out on your own scenario?
-
You mean this?
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html
I do not see any references to GRE or BGP
-
Just play around with it, bgp is so flexible, there is no Standard way