2 different IPsec on same WAN interface

Started by rl82, January 17, 2023, 02:19:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 17, 2023, 02:19:43 PM
Hello,

maybe somebody has already implemented it.

I am going to build a secondo ipsec tunnel on the wan interface by pointing to another remote endpoint of the same subnet of the first remote endpoint.
Is this technically possible?
how handling the failover in this case?

Thanks in advance,

Kind Regards

Rocco
January 17, 2023, 02:42:21 PM #1 Last Edit: January 17, 2023, 02:44:36 PM by pmhausen
Short answer: no for the standard policy based connections.

Long answer: you can have as many tunnels as you like as long as the remote endpoints and the remote networks are different.

For "poor man's redundancy" you can of course define and configure a second tunnel with the same remote network and a different endpoint, but you cannot have both tunnels active at the same time. You can enable one and disable the other, then in case of failure manually switch.

This is for policy based connections.

In case of routed connections you can indeed have automatic failover but this requires a way more complex setup and the use of a dynamic routing protocol like OSPF. Plus the remote endpoimnts must support that, of course.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 17, 2023, 02:50:23 PM #2
thank you so much for your answer.
I have to review my antecedent post, i apologize:
the 2 remote endpoints will have 2 different subnetworks.
so in this case the public wan will point trough 2 different ipsec tunnels to 2 different endpoints belonging to 2 different network handled by a third cloud provider.
the only goal of this is to achieve a failover/redundancy if first tunnel is failing.
In this case, the failover can handled also only manually?

Kind Regards

Rocco

January 17, 2023, 03:30:17 PM #3
If there's two different remote networks and two different endpoints just go ahead and configure two tunnels. They can both be active at the same time.

But how is this failover/redundancy? In my book that term means accessing the same resource via at least two different connections.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 17, 2023, 04:39:32 PM #4
thank you so much
i meant failover.
if for example the first tunnel is failing, there is a way that opnsense can handle it automatically? or you think it is not required for this specific case?
thanks
January 17, 2023, 04:46:23 PM #5
It's not required. You will be able to reach remote network #1 through tunnel #1 and remote network #2 through tunnel #2. If one of the connections drops the other one is unaffected. They are not related or dependent on each other in any way.

Unless of course the disconnect is due to your OPNsense crashing  ;)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 17, 2023, 05:04:59 PM #6
thank you.mich appreciated!

so basically i will try to use the wan interface ip for pointing 2 different remote endpoints in different subnets of same cloud provider.
they should work both and no logical failover/ha task is required on opnsense side.


Print
Go Up Pages1
User actions