IPSEC with two remote ip (primary/backup)

[maurotb]

I need to setup my opn sense to make a isec vpn.
The remote firewall have two ip,primary and backup.
In gui i can set only one ip, how i can make this setup?
Thanks

[mimugmail]

Setup both and one disabled. No auto failover, this only works with OpenVPN

[maurotb]

@mimugmail thanks
This is onother big limit in a real enterprise deploy...  :-\

[mimugmail]

In an enterprise you would use route based IPsec and a dynamic routing protocol (which is supported in OPN)

[banym]

OPNsense comes with a lot of enterprise ready solutions. As mimugmail wrote, a setup for high available VPN would look different.
But be aware that for such up-links you need in general pay more money.

[rainerle]

Maybe I am wrong, but this is how I would try to do that:
- Set up two separate IPsec connections for each destination IP where phase 2 is then route-based. Phase 1 has to use dead peer detection (DPD)
- This should create two network interfaces
- Create two gateways - one for each IPsec remote address on phase 2
- Group the two gateways into a gateway group
- Use the gateway group in your routes and policies.

I am interested if this setup actually works. Please confirm if you have tried...

Thanks
Rainer

[maurotb]

@mimugmail @banym
Maybe I haven't explained myself.
My opnsense is connected to two lines in bgp i have no problems with HA.
I need to connect to an external company that uses Cisco ASA,
wants to create an IPSEC vpn and has 2 internet lines in Active / Standby.
Obviously being an external company, i cannot impose an openvpn configuration (cisco asa does not support it)
and firewalls normally support dual peer active / standby.

@rainerle
in this way I believe that opnsense tries to activate both ike, while they should be active / standby, right?

[rainerle]

Yes, it will try to activate both IKE. If one of their sides is really passive and you choose the gateways check on your side correct the gateway group with the respective routing should then route the traffic through the active line.

If they are the ones establishing the link and you are just the responder - that would make things easier for you. But then they have to make sure that the link is always up. 

[banym]

Do you have both BGP uplinks connected to one OPNsense?

[mimugmail]

@mimugmail @banym
Maybe I haven't explained myself.
My opnsense is connected to two lines in bgp i have no problems with HA.
I need to connect to an external company that uses Cisco ASA,
wants to create an IPSEC vpn and has 2 internet lines in Active / Standby.
Obviously being an external company, i cannot impose an openvpn configuration (cisco asa does not support it)
and firewalls normally support dual peer active / standby.

@rainerle
in this way I believe that opnsense tries to activate both ike, while they should be active / standby, right?

TBH ... the active / backup peer solution from Cisco is proprietary to itself, you can also do this with Palo Alto, but you can't do this when connecting Palo Alto to Cisco.

If you want to use open standards, use route based IPsec, ASA supported this, and then do a routing protocol inside, also supported by ASA (and IOS of course).

[Rhin0]

Pour configurer une connexion IPsec sur OPNsense avec deux adresses IP distantes (primaire et de secours), voici une solution proposée par la communauté :

Configurez deux connexions IPsec séparées pour chaque adresse IP de destination, avec une phase 2 basée sur les routes et la détection de pair mort (DPD) activée.
Créez deux passerelles, une pour chaque adresse IP distante.
Regroupez ces deux passerelles dans un groupe de passerelles.
Utilisez ce groupe de passerelles dans vos routes et politiques pour assurer le basculement automatique.
tu trouvera plus d'informations dans le lien suivant : https://cyberopti.com/guide-de-configuration-dun-switch-cisco/

[Rhin0]

ce message est a supprimer