Multi-Wan VPN Failover

[kapara]

I am on the fence now with which solution to go with.  With pfsense soon to lose support of development due to moving to their new product I am hoping that Opnsense will be able to fulfill a feature I am needing desperately.

Multiwan failover VPN

I am currently looking at Sophos as this product can provide the feature that I need.  It is able to be installed as a VM and can handle VPN failover (This is the most important).

I have a firewall in a datacenter with a high availability connection but at the remote site (Office) I have 2 different ISP's providing connection and need the firewall in the remote office to be able to failover to the secondary connection in the event that the primary tunnel goes down.

Is this possible with Opnsense yet?  I have seen several posts that discuss this but nothing concrete ats to if it is now a fully supported and production feature or not.

[mimugmail]

You can do this with OpenVPN

[kapara]

Are there any tutorials for this kind of setup?

[mimugmail]

You can set multiple remote IPs in client mode

[kapara]

Again any tutorials? 

[mimugmail]

docs.opnsense.org

Test Site2Site and Client VPN, when you earned some experience set Interface on server to any and on client multiple remote.

[vince]

Is this possible with IPsec as well? I guess in a way it must be, since Sophos seems to provide that, but I have (and want) to stay with our OPNsense boxes. Setup see below. Currently this setup is running without the HA-2 part and switch, with an IPsec VPN inbetween HA-1 and FW-3. I was just wondering if I could make the failover happen without putting another box in that serves as a pppoe endpoint for site 1.

Code: [Select]

                                                               site 1 #                      #  site 2
            |---[ HA-1 ]---pppoe1---|                                 #                      #
{ LAN-1 }---|       |               |---[ switch ]---[ eth to opt ]---#---[ pppoe server ]---#---pppoe3---[ DSL modem ]---[ FW-3 ]---{ LAN-2 }
            |---[ HA-2 ]---pppoe2---|                                 #                      #


[mimugmail]

Sophos does this with many scripting .. so in theory it can work if you port all the scripting logic to here, but ATM noone has the time to start this.

With OpenVPN it's no problem .. so why invest so much time in there ..

[vince]

Well, for me it's because all other VPNs we have are IPsec based and I'd rather stay with one solution. It's not all OPNsense yet either. And in this case it's much easier to just add a new ppoe endpoint instead of switching everything to OpenVPN, although I would have liked to skip having to use (and secure) another device.
In general, as far as I remember, someone might want that because IPsec has more features than OpenVPN, although it sure can be a real pain to work with sometimes.

[kapara]

Really hoping someone can get this to work.  Is a bounty possible?  I think we would see a much higher adoption rate if this was supported.  I understand that OpenVPN can work but many companies I work with including financial ones absolutely do not support OpenVPN so if you are just trying to do tunnels between your own locations this is ok but if you want to establish tunnels with larger companies OpnSense is out of the question.

Every major firewall provider supports IPSEC failover.

Cisco
Fortigate
Sonicwall
Sophos
And the list continues

[mimugmail]

And all these cost license fees to feed their developers. You can always ask Deciso guys for paid development.

We (my employer) already sponsored 2 major features in the past.

[kapara]

That is what I am referring to but with pfSense it was a bounty and users were able to chip in together to fund it rather than a single entity.  1st I am not sure what the cost would be to do this and 2. I most likely would not be able to afford it.  Probably would be cheaper to switch to Sophos than to fund it but if there was a large community interest the cost would be dispersed across the community that wanted the feature.

[mimugmail]

First step would be to search open feature request in GitHub, if there is one, join in, if not, create a new one

[kapara]

I just noticed that Pase 1 of IPSEC has an option I have not seen before.

Dynamic Gateway:  Allow any remote gateway to connect.

I am interested in this for remote sites that have 2 static IP with dual wan that need to connect to my datacenter OPNsense firewall.  Data center does not need dual.

Is there any documentation about implementing a VPN with this option?

Also this might be a moot point if I can use a distinguished name instead of IP Address and assign firewall.domain.com as the A record for both static IP addresses?  If WAN 1 goes down and WAN 2 comes up and since it has the same A record all will e good?  Would I need to assign interface to a gateway group?

[kapara]

For example can I use this example in the photo for the location with Dual static?  The gateway group is set up as Comcast Primary and ATT Secondary as a failover group.  I can create an A record for both gateway IP so that they are both firewall.domain.com