Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
2 different IPsec on same WAN interface
« previous
next »
Print
Pages: [
1
]
Author
Topic: 2 different IPsec on same WAN interface (Read 1526 times)
rl82
Newbie
Posts: 29
Karma: 0
2 different IPsec on same WAN interface
«
on:
January 17, 2023, 02:19:43 pm »
Hello,
maybe somebody has already implemented it.
I am going to build a secondo ipsec tunnel on the wan interface by pointing to another remote endpoint of the same subnet of the first remote endpoint.
Is this technically possible?
how handling the failover in this case?
Thanks in advance,
Kind Regards
Rocco
Logged
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
Re: 2 different IPsec on same WAN interface
«
Reply #1 on:
January 17, 2023, 02:42:21 pm »
Short answer: no for the standard policy based connections.
Long answer: you can have as many tunnels as you like as long as the remote endpoints and the remote networks are different.
For "poor man's redundancy" you can of course define and configure a second tunnel with the same remote network and a different endpoint, but you cannot have both tunnels active at the same time. You can enable one and disable the other, then in case of failure manually switch.
This is for policy based connections.
In case of routed connections you can indeed have automatic failover but this requires a way more complex setup and the use of a dynamic routing protocol like OSPF. Plus the remote endpoimnts must support that, of course.
«
Last Edit: January 17, 2023, 02:44:36 pm by pmhausen
»
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
rl82
Newbie
Posts: 29
Karma: 0
Re: 2 different IPsec on same WAN interface
«
Reply #2 on:
January 17, 2023, 02:50:23 pm »
thank you so much for your answer.
I have to review my antecedent post, i apologize:
the 2 remote endpoints will have 2 different subnetworks.
so in this case the public wan will point trough 2 different ipsec tunnels to 2 different endpoints belonging to 2 different network handled by a third cloud provider.
the only goal of this is to achieve a failover/redundancy if first tunnel is failing.
In this case, the failover can handled also only manually?
Kind Regards
Rocco
Logged
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
Re: 2 different IPsec on same WAN interface
«
Reply #3 on:
January 17, 2023, 03:30:17 pm »
If there's two different remote networks and two different endpoints just go ahead and configure two tunnels. They can both be active at the same time.
But how is this failover/redundancy? In my book that term means accessing the same resource via at least two different connections.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
rl82
Newbie
Posts: 29
Karma: 0
Re: 2 different IPsec on same WAN interface
«
Reply #4 on:
January 17, 2023, 04:39:32 pm »
thank you so much
i meant failover.
if for example the first tunnel is failing, there is a way that opnsense can handle it automatically? or you think it is not required for this specific case?
thanks
Logged
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
Re: 2 different IPsec on same WAN interface
«
Reply #5 on:
January 17, 2023, 04:46:23 pm »
It's not required. You will be able to reach remote network #1 through tunnel #1 and remote network #2 through tunnel #2. If one of the connections drops the other one is unaffected. They are not related or dependent on each other in any way.
Unless of course the disconnect is due to your OPNsense crashing
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
rl82
Newbie
Posts: 29
Karma: 0
Re: 2 different IPsec on same WAN interface
«
Reply #6 on:
January 17, 2023, 05:04:59 pm »
thank you.mich appreciated!
so basically i will try to use the wan interface ip for pointing 2 different remote endpoints in different subnets of same cloud provider.
they should work both and no logical failover/ha task is required on opnsense side.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
2 different IPsec on same WAN interface