Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
15.7 Legacy Series
»
VPN ipsec trunk
« previous
next »
Print
Pages: [
1
]
Author
Topic: VPN ipsec trunk (Read 12049 times)
reep
Jr. Member
Posts: 68
Karma: 8
VPN ipsec trunk
«
on:
October 18, 2015, 04:48:47 pm »
A feature I miss badly from my Draytek 3300s is VPN trunking over ipsec which gives automatic failover across my WAN links.
Is this possible in Opnsense ?
B. Rgds
John
Logged
lucifercipher
Jr. Member
Posts: 55
Karma: 9
Re: VPN ipsec trunk
«
Reply #1 on:
October 20, 2015, 10:51:13 am »
Anything is almost possible. Its just that things work differently and instead of one click / step, you end up setting up 2 or 3 things for that.
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1611
Re: VPN ipsec trunk
«
Reply #2 on:
October 23, 2015, 08:38:14 am »
Hi John,
Isn't this a premium feature by some overly expensive companies, e.g.
https://www.viprinet.com/
?
Do you know of any open source that does this? I don't think so, but I can be wrong.
Cheers,
Franco
Logged
reep
Jr. Member
Posts: 68
Karma: 8
Re: VPN ipsec trunk
«
Reply #3 on:
November 06, 2015, 09:46:06 pm »
Hi Franco,
I currently use it on my draytek 3300s. Its one cool feature and something I am finding hard to do without.
I believe it can be implemented in Linux.... either as failover or as a proper trunk - you use GRE over Ipsec. It is clearly possible. I'd be hsppy to work on it with you as there doesn't seem to be much else out there and it would be a bit if a killer feature for you !
I'll certainly have a read around if you are interested....
B. Rgds
John
Sent from my SM-G920F using Tapatalk
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1611
Re: VPN ipsec trunk
«
Reply #4 on:
November 06, 2015, 09:48:09 pm »
John, that would be totally awesome to get into OPNsense. Count me in.
Logged
reep
Jr. Member
Posts: 68
Karma: 8
Re: VPN ipsec trunk
«
Reply #5 on:
November 08, 2015, 07:59:02 am »
Quote from: franco on November 06, 2015, 09:48:09 pm
John, that would be totally awesome to get into OPNsense. Count me in.
Hehehe...
OK, after a quick search some reading for starters....
http://lartc.org/lartc.html#LARTC.TUNNEL.GRE
http://www.myitnotes.info/doku.php?id=en:jobs:vpn_gre_over_ipsec
https://forum.ivorde.com/linux-site-to-site-gre-over-ipsec-vpn-tunnels-using-racoon-kame-ipsec-tools-t19531.html
Plenty more on the subject out there. I think half of the job is done if you have IPSEC connections already set up and working.
Effectively you create your ipsec tunnels and then add them into the trunk. Here are some pics from my 3300- This is repeated at the other end in reverse.
http://picpaste.com/IpsecPolicy-EJtbITCe.png
http://picpaste.com/IpsecTrunkGroup-6jrZjmaM.png
http://picpaste.com/IpsecTrunkSetup-lAeSWHOQ.png
You can weight the routes to bond them, or run Master/Slave type arrangement.
As you mention, it does to tend to be something found on higher end stuff. From what I can see none of the other distros do it out of the box easily. I think Zeroshell does,or did, but not with IPsec. Endian doesn't. Possibly Sophos does. So makes it a nice unique feature for you :-)
I guess we should open an issue on the github ?
B. Rgds
John
Logged
reep
Jr. Member
Posts: 68
Karma: 8
Re: VPN ipsec trunk
«
Reply #6 on:
November 09, 2015, 12:21:11 am »
I missed some more settings :
http://picpaste.com/IpsecTrunkSettings-ouV1bBgC.png
On the Draytek 3300 you basically do the following assuming I have two WAN IPs at each end - A & B at one end and C & D the other :
Create IPSEC <Trunk One>
DPD Delay 2secs
DPD Timeout 4 secs
<Local GRE IP> <Local WAN IP A> <!ipsec tunnel!> <Remote WAN IP C> <Remote GRE IP>
Create IPSEC <Trunk Two>
<Local GRE IP> <Local WAN IP B> <!ipsec tunnel!> <Remote WAN IP D> <Remote GRE IP>
DPD Delay 2secs
DPD Timeout 4 secs
The GRE IPs are an imaginary net that each end of the trunk is joined by
Create Group Route - the networks you actually want to join :
<Trunk One>
<Local Subnet> <Remote Subnet>
<Trunk Two>
You could add multiple trunks in
e.g.
A - C
B - D
A - D
B - C
On the Draytek in the Groups section you can then either run them as load balanced or as backup/failover
I have been trying to get my head round how you write the routes - never my strong point !
I think this page holds the key, but you need to effectively create the IPSEC connection between the WAN IPs first :
http://www.lartc.org/lartc.html#AEN337
Bearing in mind you have the IPSEC stuff up and running I don't think it would be too hard to implement this. Just needs some head scratching !
Hope that makes sense.
B. Rgds
John
Logged
reep
Jr. Member
Posts: 68
Karma: 8
Re: VPN ipsec trunk
«
Reply #7 on:
November 09, 2015, 03:04:18 pm »
OK, a bit more research - I couldn’t figure if the Draytek did IPSEC over GRE or GRE over IPSEC.
Reading these it is clear that it does GRE over IPSEC
http://www.draytek.com/index.php?option=com_k2&view=itemlist&task=category&id=128&Itemid=293&lang=en
This PDF has a nice diagram to show it
http://www.draytek.com/index.php?option=com_k2&view=item&id=2046&Itemid=293&lang=en
I think the link above to myitnotes.info is worth a look - if you get one tunnel up it would be easy enough to add more I guess and they show the basics of how to do that. Trying to think how to test this as IPSEC is fussy with IPs and I have a very limited number which are all in production.
B. Rgds
John
Logged
reep
Jr. Member
Posts: 68
Karma: 8
Re: VPN ipsec trunk
«
Reply #8 on:
November 09, 2015, 08:30:31 pm »
Just reinstalled tonight to play (still can't get a route out but that's another story) and can see you have a GRE tunnel setup so guess you have all the bits there to do it... just a case of bolting it together.
Will play more tomorrow, if I can get the damn thing to connect !!!
B. Rgds
John
Sent from my SM-G850F using Tapatalk
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
15.7 Legacy Series
»
VPN ipsec trunk