Show Posts
1
Development and Code Review / Re: IPsec Failover project...
« on: August 07, 2017, 02:56:54 am »
Hi.
First time post here, but, I'm a very experience network engineer with a particular bent on network security and firewalls. I come from a background of originally doing packet filters in routers, to a long time SonicWALL partner, then pfsense and now seriously looking at OPNsense.
What I desperately miss from SonicWALL days was their excellent IPsec failover.
I would change pfsense to OPNsense in a heartbeat if we can get a decent IPsec multi wan failover solution that works. This what all the expensive brand name firewalls do well.
Consider this:
2 sites, siteMAIN and siteBRANCH
Both sites have dual WAN and clustered firewalls
With SonicWALL, it's possible to have the remote static IP address both loaded in phase1 for siteMAIN to siteBRANCH (WAN1 and WAN2) and vice versa. On WAN1 failing at either siteMAIN or siteBRANCH, IPsec rapidly heals and the tunnel continues working, I'm talking about losing only a few pings.
Also, just as critical, the state is NOT lost. I suspect SonicWALL (and others) cleverly do not drop nor reset state on a multi WAN IPsec tunnel.
Perhaps the mechanism is based around knowing the phase2 networks, state is not lost on phase2 local-remote networks.
I notice that using the current system of dynamic DNS to get around IPsec fail-over has some major shortcomings:
1. DDNS takes quite a while to detect and respond to fail-over, upwards of a minute
2. State is lost during the fail-over which wrecks telnet and SSH sessions and that causes network chaos
FreeBSD with pfsync, CARP and the multi WAN is great. We just need a robust IPsec multi WAN fail-over.
Back to my example, and a bit more detail:
WANm1 fails at siteMAIN:
First time post here, but, I'm a very experience network engineer with a particular bent on network security and firewalls. I come from a background of originally doing packet filters in routers, to a long time SonicWALL partner, then pfsense and now seriously looking at OPNsense.
What I desperately miss from SonicWALL days was their excellent IPsec failover.
I would change pfsense to OPNsense in a heartbeat if we can get a decent IPsec multi wan failover solution that works. This what all the expensive brand name firewalls do well.
Consider this:
2 sites, siteMAIN and siteBRANCH
Both sites have dual WAN and clustered firewalls
With SonicWALL, it's possible to have the remote static IP address both loaded in phase1 for siteMAIN to siteBRANCH (WAN1 and WAN2) and vice versa. On WAN1 failing at either siteMAIN or siteBRANCH, IPsec rapidly heals and the tunnel continues working, I'm talking about losing only a few pings.
Also, just as critical, the state is NOT lost. I suspect SonicWALL (and others) cleverly do not drop nor reset state on a multi WAN IPsec tunnel.
Perhaps the mechanism is based around knowing the phase2 networks, state is not lost on phase2 local-remote networks.
I notice that using the current system of dynamic DNS to get around IPsec fail-over has some major shortcomings:
1. DDNS takes quite a while to detect and respond to fail-over, upwards of a minute
2. State is lost during the fail-over which wrecks telnet and SSH sessions and that causes network chaos
FreeBSD with pfsync, CARP and the multi WAN is great. We just need a robust IPsec multi WAN fail-over.
Back to my example, and a bit more detail:
- siteMAIN, WANm1 and WANm2
- siteBRANCH, WANb1 and WANb2
WANm1 fails at siteMAIN:
- Multi WAN at siteMAIN handles the transition from WANm1 to WANm2 no problem for the firewall itself
- The issue is siteBRANCH WANb1 today doesn't accept traffic from WANm2
- State is lost