OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of nzkiwi68 »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - nzkiwi68

Pages: [1]
1
Development and Code Review / Re: IPsec Failover project...
« on: August 07, 2017, 02:56:54 am »
Hi.

First time post here, but, I'm a very experience network engineer with a particular bent on network security and firewalls. I come from a background of originally doing packet filters in routers, to a long time SonicWALL partner, then pfsense and now seriously looking at OPNsense.

What I desperately miss from SonicWALL days was their excellent IPsec failover.

I would change pfsense to OPNsense in a heartbeat if we can get a decent IPsec multi wan failover solution that works. This what all the expensive brand name firewalls do well.

Consider this:
2 sites, siteMAIN and siteBRANCH
Both sites have dual WAN and clustered firewalls

With SonicWALL, it's possible to have the remote static IP address both loaded in phase1 for siteMAIN to siteBRANCH (WAN1 and WAN2) and vice versa. On WAN1 failing at either siteMAIN or siteBRANCH, IPsec rapidly heals and the tunnel continues working, I'm talking about losing only a few pings.
Also, just as critical, the state is NOT lost. I suspect SonicWALL (and others) cleverly do not drop nor reset state on a multi WAN IPsec tunnel.
Perhaps the mechanism is based around knowing the phase2 networks, state is not lost on phase2 local-remote networks.

I notice that using the current system of dynamic DNS to get around IPsec fail-over has some major shortcomings:
1. DDNS takes quite a while to detect and respond to fail-over, upwards of a minute
2. State is lost during the fail-over which wrecks telnet and SSH sessions and that causes network chaos

FreeBSD with pfsync, CARP and the multi WAN  is great. We just need a robust IPsec multi WAN fail-over.

Back to my example, and a bit more detail:
  • siteMAIN, WANm1 and WANm2
  • siteBRANCH, WANb1 and WANb2

WANm1 fails at siteMAIN:
  • Multi WAN at siteMAIN handles the transition from WANm1 to WANm2 no problem for the firewall itself
  • The issue is siteBRANCH WANb1 today doesn't accept traffic from WANm2
  • State is lost

























Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2