Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPSec Tunnel with Dual WAN Failover GW_Group
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSec Tunnel with Dual WAN Failover GW_Group (Read 1373 times)
MGVaxx
Newbie
Posts: 2
Karma: 0
IPSec Tunnel with Dual WAN Failover GW_Group
«
on:
May 16, 2024, 10:25:26 pm »
Hello all,
Here's a scenario we are having difficulty with and looking for some insight on.
We have a client site with two WAN connections from different providers for redundancy. They are currently configured as WAN1 and WAN2 in a Failover Group - Failover_GW_Group. WAN1 set as Tier1 and WAN2 set as Tier2, as per the official OpnSense docs. The failover works as expected and switches the default gateway from WAN1 to WAN2 upon failure, and back to WAN1 when the connection is restored. We are using Default Gateway Switching.
All good so far.
However, the client also has an IPSec tunnel (legacy mode) to a cloud provider that we want to failover when the WAN connection changes. When setting up the Phase1 for the tunnel, the Interface options are WAN1, WAN2, LAN and ANY. We can successfully establish the tunnel choosing either WAN1 or WAN2, and it will connect and pass traffic using either interface, however it does not drop and re-establish itself when the WAN fails over. We thought using ANY was the next obvious option but the tunnel does not seem to connect at all.
We do not have control over the remote end of the tunnel, so suggestions such as building a second tunnel etc are not options.
We compared the setup to a working one using pFSense and noted that their IPSec setup allows you to select the GW Group as the interface in the Phase1 setup, whereas OpnSense does not.
We've already committed to using OpnSense for a variety of reasons and would prefer to stay with it.
Any thoughts or suggestions would be most appreciated. Otherwise, is there a way to submit this as a feature request?
If anyone has gotten a legacy IPSec tunnel to automatically switch WAN connections with a failover group configuration and has some tips, many thanks in advance. Not hoping to reinvent the wheel here, just wondering if there's something obvious we have overlooked.
Cheers,
Mike
Logged
DanielD
Newbie
Posts: 1
Karma: 0
Re: IPSec Tunnel with Dual WAN Failover GW_Group
«
Reply #1 on:
June 09, 2024, 01:12:34 am »
I am also struggling with this. Can a developer please add Gateway Groups (for failover) to be selectable as the interface for IPSec tunnels. Thanks.
Logged
MGVaxx
Newbie
Posts: 2
Karma: 0
Re: IPSec Tunnel with Dual WAN Failover GW_Group
«
Reply #2 on:
September 12, 2024, 10:47:47 pm »
I must assume nobody has ever done this and got it working?
I just need an IPSec tunnel to tear down and re-establish itself when the default gateway changes as a result of WAN failover. The current setup doesn't seem to allow that, unless I am missing something obvious here?
Logged
infinisean
Newbie
Posts: 2
Karma: 0
Re: IPSec Tunnel with Dual WAN Failover GW_Group
«
Reply #3 on:
October 06, 2024, 07:01:58 pm »
The obvious answer that you are missing, is you can't do that.
The remote side has to have a "remote-peer" IP configured which it connects to.... when that ISP goes down, the WAN interface with the "remote-peer" goes down, so any tunnels which connect to it go down as well.
The answer is to have a second tunnel configured to point to the "remote peer" IP of the second ISP's WAN interface.
That way when the first ISP / Interface goes down, and the tunnel along with it, the secondary tunnel will become the new route to your LAN subnet.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPSec Tunnel with Dual WAN Failover GW_Group