Multi-Wan VPN Failover

Started by kapara, May 16, 2018, 02:02:43 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
December 06, 2019, 02:30:54 PM #15
I don't think you'd want to have a single FQDN (firewall.domain.com) with multiple A records representing your WAN links.  DNS servers randomise the order of the IPs returned in a lookup, so it becomes non-deterministic. Even if the order didn't matter, then the DNS client randomly picks an IP - usually the first one - and then tries that. There's no guarantees that that the client will try the second IP - that would depend on how the DNS client application is programmed.  The test would be to try it in a lab and see what happens. It all sounds a bit messy though.

OPNsense 19.7 has release notes "IPsec Route based mode (VTI)". I'm looking into that feature to see what it provides as I used to use Virtual Tunnel Interfaces extensively with Cisco back when I was using those edge devices for VPN and found them to be quite handy - especially when used with GRE headers and running RIPv2 over the top.
March 12, 2020, 07:24:39 PM #16
I don't understand why this cannot be a simple solution.

One of my situations:

Site A is in a Datacenter with a single redundant internet connection with static IP assigned to OpnSense.

Site B has 2 wan connections with static IP addresses.

I have 2 IPsec VPN configurations in both firewalls so that I can use VPN failover but I must manually disable and enable the connections but it works.

Why cant this be automated?  For example:

Site A: Pings both remote WAN interfaces.  If remote WAN1 stops responding it disabled the VPN to remote WAN1 and enables VPN to remote WAN2.

Site B: If WAN1 goes down it disables P1 and P2 VPN to Site A using WAN1 and enables P1 and P2 using WAN2

If WAN1 comes back online Site B can send a command to SiteA notifying it that WAN1 is back online and to disable its VPN to the WAN2 and enable VPN to WAN1.

You could even have a solution that communicates via ssl between the 2 firewalls using the gateway group so that the information transfer does not have to happen over the VPN tunnel.
March 12, 2020, 09:47:48 PM #17
Did you read the last post? You can use routed IPSec with GRE tunnel and BGP inside ...
March 13, 2020, 12:05:24 AM #18
Is there any documentation on how to do this or is it a figure it out on your own scenario?
March 19, 2020, 06:24:15 PM #19
You mean this?

https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html

I do not see any references to GRE or BGP
March 19, 2020, 09:23:55 PM #20
Just play around with it, bgp is so flexible, there is no Standard way
Print
Go Up Pages 1 2
User actions