OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • High availability »
  • IPSec Site to Site Tunnel with HA
« previous next »
  • Print
Pages: [1]

Author Topic: IPSec Site to Site Tunnel with HA  (Read 5426 times)

ying18

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
IPSec Site to Site Tunnel with HA
« on: February 07, 2021, 02:09:46 pm »
I have 2 OPNSense appliances configured and running in HA mode. CARP / HA Failover / pfSync seem to be working fine, except for one thing. We have an IPSec tunnel to a remote site that needs to be re-established when the failover occurs. In our case, the IPSec tunnel does not re-establish (yes, IPSec is selected to sync and it appears to be working).

What I would expect is that the MASTER would connect to the tunnel and upon failover, the BACKUP would connect to the tunnel. But, what I see is that both the MASTER and the BACKUP are attempting to connect at the same time.

Are there any documents or sample configurations for this? I can't seem to find any and would like some assistance with this.
Siot(สล๊อตออนไลน์)
Logged

pmladenov

  • Newbie
  • *
  • Posts: 37
  • Karma: 1
    • View Profile
Re: IPSec Site to Site Tunnel with HA
« Reply #1 on: February 23, 2021, 08:52:50 pm »
Hi ying18,

I saw similar behavior - although I've selected in Phase 1 the CARP logical interface, during failovers I can see both FWs are trying to use the physical IP address initially...
Also keep in mind that Dead Pear Detection is taking almost 3 minutes to detect a failure (despite what you've configured).
Probably the better approach here is to have 2 separate tunnels to both Firewalls in the HA setup and not to rely on any timers. 
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6488
  • Karma: 449
    • View Profile
Re: IPSec Site to Site Tunnel with HA
« Reply #2 on: February 24, 2021, 06:33:13 am »
You have to select the VIP in the interface section of Phase1 and also be sure to tick "Disable MOBIKE" checkbox
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

mnaim

  • Jr. Member
  • **
  • Posts: 50
  • Karma: 4
    • View Profile
Re: IPSec Site to Site Tunnel with HA
« Reply #3 on: February 24, 2021, 05:29:13 pm »
I have same problem, Interface - selected VIP, ticked Disable MOBIKE, still no connect.
On status page if I disconnect and reconnect tunnel, it connects sucessfully.
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6488
  • Karma: 449
    • View Profile
Re: IPSec Site to Site Tunnel with HA
« Reply #4 on: February 24, 2021, 05:35:43 pm »
Any logs?
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

nzkiwi68

  • Full Member
  • ***
  • Posts: 176
  • Karma: 17
    • View Profile
Re: IPSec Site to Site Tunnel with HA
« Reply #5 on: April 28, 2021, 04:25:42 am »
There is a bug that is fixed in 21.7 due out in July 2021 whereby the auto WAN allow IPSEC firewall rules are not created for IPSEC P1 tunnels which bind to a CARP address.

Write some manual WAN allow IPSEC rules or manually apply the patch.

Missing auto generated WAN firewall rules for permit IPsec when IPsec P1 using CARP address
https://github.com/opnsense/core/issues/4920

To manually apply this patch:
SSH to your firewall, run a command prompt and run:
opnsense-patch 45b697f



Logged

iislas18

  • Newbie
  • *
  • Posts: 18
  • Karma: 0
    • View Profile
Re: IPSec Site to Site Tunnel with HA
« Reply #6 on: August 23, 2021, 04:53:56 pm »
I updated to 21.1.7 and ran that patch, before I had 43 auto generated rules, I have about 6 IPsec tunnels and after applying the patch I only have 1 auto generated rule.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • High availability »
  • IPSec Site to Site Tunnel with HA
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2