Simple VPN failover between pfSense and EdgeOS
I recently started testing a simple setup for VPN failover. It’s been working well so far.
The scenario:
- Several branch offices connect to a central office by IPsec VPN.
- Each branch office has a single Internet connection and a Ubiquiti EdgeRouter.
- The central office has two Internet connections from two providers with different IP addresses owned by the providers.
- The central office terminates its Internet connections and VPN’s in a pfSense box.
The goal:
- If one of the central office Internet connections goes down, the branch offices should fail over their VPN’s to the central office’s other Internet connection.
- Don’t resort to GRE tunnels and routing protocols.
Both pfSense and EdgeOS use strongSwan for IPsec (IKEv2).
On the central office pfSense box:
- Create a “gateway group” that includes both Internet connections.
- In the IPsec config for each tunnel, set the “Interface” to the gateway group.
- Enable MOBIKE. (I think strongSwan enables MOBIKE by default, but pfSense disables it by default.)
On the branch office EdgeRouters:
ubnt@branch-office:~$ configure
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 authentication mode pre-shared-secret
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 authentication pre-shared-secret *************************
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 connection-type initiate
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 ike-group FOO0
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 ikev2-reauth inherit
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 local-address 192.0.2.173
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 tunnel 1 allow-nat-networks disable
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 tunnel 1 allow-public-networks disable
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 tunnel 1 esp-group FOO0
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 tunnel 1 local prefix 10.0.6.0/24
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 tunnel 1 remote prefix 10.0.0.0/24
ubnt@branch-office# commit
ubnt@branch-office# save
With this setup, VPN failover occurs automatically, though not always instantly. Failover takes somewhere between a couple seconds and ten minutes after pfSense downs the primary interface in the gateway group. I’m not sure what accounts for the delay.
The only bit of weirdness I’ve noticed is that the EdgeRouter web GUI’s “Config Tree” gets confused about having two addresses in “vpn → ipsec → site-to-site → peer”, but this doesn’t seem to actually hurt anything.
As of this writing, the branch office EdgeRouters run EdgeOS 2.0.8, which includes strongSwan 5.6.3. The central office box runs pfSense 2.4.4-RELEASE-p3, which includes strongSwan 5.7.1.
I’d feel more confident about this setup if StrongSwan included the right=x.x.x.x,y.y.y.y syntax among their numerous configuration examples.
I asked about it on the strongSwan IRC channel, but didn’t get any replies.
#vpn #pfsense #edgeos