Messages

This assumes that you already have the WAN failover aspect working.

To get IPSEC to failover, you have to define your phase 1s on both sides of the IPSEC link with Distinguished Name.  You can't use the peer address because that address will change and the resulting IPSEC connection attempt will be denied.  Distinguished Name is static.  Also, you would need to have a dynamic DNS for your IP address that will update when the connection switches, and you use the dynamic DNS for your connection IP.  That's about all there is to it if I remember correctly off the top of my head.

I am testing OPNsense as a possible replacement for our existing router solution.  We operate multiple sites using IPSEC tunnels to connect the LANs at each site.  I am testing a dual-router setup on a lab network, with the OPNsense component being dual-router, with CARP addresses for WAN and LAN, state and configuration sync over a dedicated interface, and an IPSEC tunnel to another router "location" in the lab.

My testing of OPNsense has been going well, with IPSEC up and working and OPNsense handling the routing failover scenarios I've had time to throw at it so far.  Then yesterday, I enabled Traffic Shaping.  With Traffic Shaping configured, I'm experiencing repeated hard crashes.  The primary router will crash and, if left alone for awhile, the secondary router will eventually crash as well.  Both routers require a hard reset to make them operational again.  This morning I tried resetting everything and leaving it sit, essentially not driving any traffic over the IPSEC tunnels, and the routers stayed active.  I then started copying a file from one LAN to the other, and the routers both crashed again.

In the system log I see this repeated 15 times over a period of 47 minutes (with different memory addresses):
kernel: --- heap_extract: empty heap 0x0xfffff8002f8936f0

The next entry in the log is when I reset the router.

The console shows some additional information but my picture is too big to post at the moment.  I can try to address that if needed.

Is there a known bug affecting Traffic Shaping?  I looked through the issues and didn't see one listed.  Any suggestions on how to fix this?

In the IPSEC phase 1 screen, you should have a drop-down box for Interface.  Your virtual IP address should appear in that drop-down box.

What are you trying to failover?  Do you have a dual-WAN connection and you want your IPSEC connection to switch to the 2nd provider if the primary fails?  Or is it something else?