Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
High availability
»
IPSec Site to Site Tunnel with HA
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSec Site to Site Tunnel with HA (Read 16446 times)
jp_rae
Newbie
Posts: 5
Karma: 0
IPSec Site to Site Tunnel with HA
«
on:
September 21, 2020, 11:00:31 pm »
I have 2 OPNSense appliances configured and running in HA mode. CARP / HA Failover / pfSync seem to be working fine, except for one thing. We have an IPSec tunnel to a remote site that needs to be re-established when the failover occurs. In our case, the IPSec tunnel does not re-establish (yes, IPSec is selected to sync and it appears to be working).
What I would expect is that the MASTER would connect to the tunnel and upon failover, the BACKUP would connect to the tunnel. But, what I see is that both the MASTER and the BACKUP are attempting to connect at the same time.
Are there any documents or sample configurations for this? I can't seem to find any and would like some assistance with this.
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: IPSec Site to Site Tunnel with HA
«
Reply #1 on:
September 22, 2020, 09:22:08 am »
In Phase1 set the option "Disable MOBIKE".
MOBIKE will try to keep the tunnel open, also when IP switches over.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
jp_rae
Newbie
Posts: 5
Karma: 0
Re: IPSec Site to Site Tunnel with HA
«
Reply #2 on:
September 22, 2020, 07:02:46 pm »
I will try that and let you know what happens.
Logged
jp_rae
Newbie
Posts: 5
Karma: 0
Re: IPSec Site to Site Tunnel with HA
«
Reply #3 on:
September 23, 2020, 03:53:08 pm »
This did not work. Both nodes are coming up and trying to connect to the IPSEC tunnel. That is not what should be happening.
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: IPSec Site to Site Tunnel with HA
«
Reply #4 on:
September 23, 2020, 08:12:01 pm »
Screenshot of Phase1 please
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
jp_rae
Newbie
Posts: 5
Karma: 0
Re: IPSec Site to Site Tunnel with HA
«
Reply #5 on:
September 24, 2020, 02:21:19 am »
Here you go.
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: IPSec Site to Site Tunnel with HA
«
Reply #6 on:
September 24, 2020, 05:47:46 am »
Interface in Phase1 needs to be a carp IP
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
jp_rae
Newbie
Posts: 5
Karma: 0
Re: IPSec Site to Site Tunnel with HA
«
Reply #7 on:
September 25, 2020, 03:54:01 am »
Thank you. That seems to have solved the problem. For whatever reason, the CARP address was not selectable when we created the tunnel. But, it was there when I went to edit it.
Thanks
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
High availability
»
IPSec Site to Site Tunnel with HA
