IPsec Failover project...

[jorgevisentini]

Hello everyone.

I want very much to have the IPsec failover feature as well as multiple enterprise distributions have it.

I believe this is a very important and excencial feature that would cause the OPNsense stay above the other opensource market distros.

I do not know if the development staff is already thinking about implementing ...

I know that it is an advanced resource and very complicated to implement, but I am willing to participate in some project, since I really need this functionality ...

How can we start such a project? If there is anyone else interested, it would be better.

Thank you all!

[franco]

Hi Jorge,

Most certainly this would be good to have.

I'll try to get a bit of feedback from our IPsec experts. Some use some form of failover already, but I remember you wanted to do state sync as well?

In the end it's all about minimum shippable improvements. We have to set a few goals and work on them one after the other to prevent a huge project that never gets finished.

Can you detail your ideas a bit to see where we can break it down into small gradual improvements?


Cheers,
Franco

[mimugmail]

Hi,

what exactly to you expect OPN to do for IPSEC HA?

I'm very experienced in Sophos and ASA, but they don't have predefined HA setups, especially when it comes to IKEv1.

Please have a look at: https://forum.opnsense.org/index.php?topic=5547.0
"ipsec: IKEv2 can handle multiple phase 1 with the same IP"

I'm using this feature with ASA in order to handle SAs based on the key-id field to separate connections. This would allow you to failover to X backup interfaces.

Perhaps this already fits you needs and just need some documentation

[jorgevisentini]

Hi.

Thank you for your attention!

I'm not talking about complete HA, this OPNsene already has via the CARP protocol.

What I am saying is this, although the idea is very simple, I believe that logic and development involve a lot of knowledge.

Let's say that both the head office and branch office have two links to the internet.

I would very much like to be able to create an IPsec failover that does the following:

If one of the links falls, IPsec or routing migrates to the other tunnel and vice versa, and for that we have some options.

For example:

1 - I have two IPsec tunnels, one in standbay in case the main tunel falls, the second assumes.

2 - I have two tunnels and the two become active, and what controls is the routing with metrics.

I think it's like a Wan Failover Group, but with IPsec.

[mimugmail]

1) This would require to have a standby host which has to be implemented by Ad I'd guess

2) Works only with if_ipsec and Quagga inside, I don't know if this is possible withing 17.7 or 18.1


ATM it only works with IKEv2 and redundant uplinks on the client side.

[jorgevisentini]

Mimugmail, I do not think I understand...

I believe I do not need another host, just two valid IPs for internet connection and yes, I would need to "know" the other guess.

I say this on the basis of having two OPNsenses, nor do I even think about doing this redundancy with another vendor.

This already exists with Sophos, Fortinet, Watchguard...

Ah and this configuration in Sohpos for example is create with IKEv1.

[mimugmail]

You did it with Sophos and Uplink Interfaces? Does this work stable? I tried it some time ago but wasn't working as expected.

[jorgevisentini]

Yes, it works perfectly.
There is only a minimal loss of packets in time that there is link loss, IPsec key exchange ... but on average it loses around 10~15 packets until the link goes up and everything is functional. It works automatically.

I tested both with Sophos UTM and XG, and Fortinet.

[mimugmail]

Ok, but this means we have to use if_ipsec which is currently not supported.

[whitwye]

Please have a look at: https://forum.opnsense.org/index.php?topic=5547.0
"ipsec: IKEv2 can handle multiple phase 1 with the same IP"

I'm using this feature with ASA in order to handle SAs based on the key-id field to separate connections. This would allow you to failover to X backup interfaces.

Perhaps this already fits you needs and just need some documentation

What would a rough sketch of the documentation look like? Whether or not this fits the OP's needs, it should fit mine, I think.

[jorgevisentini]

Ok, but this means we have to use if_ipsec which is currently not supported.

I know.
But this functionality is not specific to StrongSwan, it does not have failover, we can read in its documentation.
This is a functionality implemented in the specific part of each product. Each one implements its logic and works together with Strongswan, Libreswan...

[jorgevisentini]

Please have a look at: https://forum.opnsense.org/index.php?topic=5547.0
"ipsec: IKEv2 can handle multiple phase 1 with the same IP"

I'm using this feature with ASA in order to handle SAs based on the key-id field to separate connections. This would allow you to failover to X backup interfaces.

Perhaps this already fits you needs and just need some documentation

What would a rough sketch of the documentation look like? Whether or not this fits the OP's needs, it should fit mine, I think.

I did not read the documentation but a think that this feature is for create two or more tunnels with one IP only. I just think...

[mimugmail]

Ok, but this means we have to use if_ipsec which is currently not supported.

I know.
But this functionality is not specific to StrongSwan, it does not have failover, we can read in its documentation.
This is a functionality implemented in the specific part of each product. Each one implements its logic and works together with Strongswan, Libreswan...

For each client with dynamic IP you set an own P1 with 0.0.0.0 as remote IP. Then you can separate with key-id, DN , whatever client supports.

[mimugmail]

Ok, but this means we have to use if_ipsec which is currently not supported.

I know.
But this functionality is not specific to StrongSwan, it does not have failover, we can read in its documentation.
This is a functionality implemented in the specific part of each product. Each one implements its logic and works together with Strongswan, Libreswan...

Libreswan has it's own interface support (software), and FreeBSD introduced with 11.0 if_ipsec (OS). Don't know how exactly Sophos does it, they also use strongswan, but the old version 4 (no IKEv2!!!). Also ASA e.g. introduced route based VPN very late.

[mimugmail]

I see this one timely more realistic (OPN to OPN):
https://github.com/opnsense/core/issues/952