Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPSec failover question
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSec failover question (Read 643 times)
Kenren_Taisho
Newbie
Posts: 3
Karma: 0
IPSec failover question
«
on:
April 30, 2024, 09:04:34 am »
Hello.
I have a requirement to connect to an AWS network using a routed IPSec VPN.
I was given a parameter sheet to configure two IPSec tunnels having the second tunnel as the DR or failover.
In summary, I configured two IPSec tunnels, two far gateways, and two static routes pointing to the same VPN network.
Is it possible to achieve an automated fail-over? Currently, I can failover by manually switching the gateways/routes. Thanks in advance.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1602
Karma: 176
Re: IPSec failover question
«
Reply #1 on:
April 30, 2024, 09:56:38 am »
Have you tried out if you can use Gateway Monitoring and a Gateway Group for that?
Logged
Hardware:
DEC740
Kenren_Taisho
Newbie
Posts: 3
Karma: 0
Re: IPSec failover question
«
Reply #2 on:
April 30, 2024, 10:43:35 am »
Yes, I tried. It does not work with gateway groups. Here's what I noticed:
1. netstat -r shows that I only have 1 active route, regardless of the 2 configured static routes for the VPN network.
2. If one tunnel dies, the route does not change.
3. Failover works by manually changing the route to the working tunnel.
can this manual changing of route be automated?
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1602
Karma: 176
Re: IPSec failover question
«
Reply #3 on:
April 30, 2024, 10:51:31 am »
I'm not really sure here. Maybe somebody else can pick this up or correct me.
I think a high availability IPSec setup needs more components.
- IPsec
- GRE over IPsec (so multicasts for dynamic routing protocols can work through the VPN tunnel)
- A dynamic routing protocol, so the routing table can change dynamically.
Logged
Hardware:
DEC740
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPSec failover question