Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IP Sec Site to Site - VPN Doesnt Switch WAN Interfaces On Failover
« previous
next »
Print
Pages: [
1
]
Author
Topic: IP Sec Site to Site - VPN Doesnt Switch WAN Interfaces On Failover (Read 737 times)
westadmin
Newbie
Posts: 1
Karma: 0
IP Sec Site to Site - VPN Doesnt Switch WAN Interfaces On Failover
«
on:
September 14, 2022, 07:14:16 pm »
I have a problem. I have a site to site configuration between a OPNSense router at my remote office, and created a IPSec Tunnel to Corporate (Sonicwall).
I have been able to get about 90% there, but not quite happy with the setup.
Background information:
I have successfully setup the gateway failover so that when the primary WAN interface has enough dropped packets, it fails over. This works just fine.
IPSec:
Phase 1 IPSec Site to Site has the Tunnel setup against an interface of ANY. In my mind, it would make more sense to have the Gateway group be an option, but presently that is not an option available in the dropdown.
Testing procedure:
Runs Tracert from the OPNSense Router to confirm WAN traffic is using the primary WAN Interface.
Runs VPN Test by reaching out to a corporate resource from a local computer behind the OPNSense router.
Unplugs the Primary WAN interface from the OPNSense router simulating an ISP outage
Confirms the Internet is working on a workstation
Runs secondary Tracert to confirm new traffic is leaving out the WAN2 port
WAN2 TEST SUCCESSFUL
Tests VPN Traffic by reaching out to a corporate network resource
VPN TEST FAILS
Waits a minute or two: VPN On corporate side goes finally shows as disconnected
Multipart Troubleshooting
Tried all of the following and got results:
Cycles VPN On Corporate Router Side
Restarts IPSec Services on OPNSense
Changes IPSec Phase 1 to WAN2 interface instead of ANY
Restarts IPSec Services on OPNSense
Result: VPN COMES BACK UP USING SECONDARY
In my eyes, since the IPSec Site to Site works and WAN Failover works, there must be something I am missing to help the 2 tunnels to recognize the Primary WAN Interface is down, and to retry using the WAN2 interface as the Target.
The Corporate router is a Sonicwall, and we have setup Sonicwall to Sonicwall failover in the past to work great. The WAN2 interface is using DynamicDNS, and I have confirmed that to be working as expected as well. The secondary target on the Sonicwalls VPN Site to Site configuration is the Dynamic DNS Host address, which works as expected during the testing I mentioned above.
«
Last Edit: September 14, 2022, 11:28:11 pm by westadmin
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IP Sec Site to Site - VPN Doesnt Switch WAN Interfaces On Failover