1
Virtual private networks / IP Sec Site to Site - VPN Doesnt Switch WAN Interfaces On Failover
« on: September 14, 2022, 07:14:16 pm »
I have a problem. I have a site to site configuration between a OPNSense router at my remote office, and created a IPSec Tunnel to Corporate (Sonicwall).
I have been able to get about 90% there, but not quite happy with the setup.
Background information: I have successfully setup the gateway failover so that when the primary WAN interface has enough dropped packets, it fails over. This works just fine.
IPSec: Phase 1 IPSec Site to Site has the Tunnel setup against an interface of ANY. In my mind, it would make more sense to have the Gateway group be an option, but presently that is not an option available in the dropdown.
Testing procedure:
In my eyes, since the IPSec Site to Site works and WAN Failover works, there must be something I am missing to help the 2 tunnels to recognize the Primary WAN Interface is down, and to retry using the WAN2 interface as the Target.
The Corporate router is a Sonicwall, and we have setup Sonicwall to Sonicwall failover in the past to work great. The WAN2 interface is using DynamicDNS, and I have confirmed that to be working as expected as well. The secondary target on the Sonicwalls VPN Site to Site configuration is the Dynamic DNS Host address, which works as expected during the testing I mentioned above.
I have been able to get about 90% there, but not quite happy with the setup.
Background information: I have successfully setup the gateway failover so that when the primary WAN interface has enough dropped packets, it fails over. This works just fine.
IPSec: Phase 1 IPSec Site to Site has the Tunnel setup against an interface of ANY. In my mind, it would make more sense to have the Gateway group be an option, but presently that is not an option available in the dropdown.
Testing procedure:
- Runs Tracert from the OPNSense Router to confirm WAN traffic is using the primary WAN Interface.
- Runs VPN Test by reaching out to a corporate resource from a local computer behind the OPNSense router.
- Unplugs the Primary WAN interface from the OPNSense router simulating an ISP outage
- Confirms the Internet is working on a workstation
- Runs secondary Tracert to confirm new traffic is leaving out the WAN2 port WAN2 TEST SUCCESSFUL
- Tests VPN Traffic by reaching out to a corporate network resource VPN TEST FAILS
- Waits a minute or two: VPN On corporate side goes finally shows as disconnected
- Multipart Troubleshooting
Tried all of the following and got results:- Cycles VPN On Corporate Router Side
- Restarts IPSec Services on OPNSense
- Changes IPSec Phase 1 to WAN2 interface instead of ANY
- Restarts IPSec Services on OPNSense
Result: VPN COMES BACK UP USING SECONDARY
In my eyes, since the IPSec Site to Site works and WAN Failover works, there must be something I am missing to help the 2 tunnels to recognize the Primary WAN Interface is down, and to retry using the WAN2 interface as the Target.
The Corporate router is a Sonicwall, and we have setup Sonicwall to Sonicwall failover in the past to work great. The WAN2 interface is using DynamicDNS, and I have confirmed that to be working as expected as well. The secondary target on the Sonicwalls VPN Site to Site configuration is the Dynamic DNS Host address, which works as expected during the testing I mentioned above.