paulgorman.org

Simple VPN failover between pfSense and EdgeOS

I recently started testing a simple setup for VPN failover. It’s been working well so far.

The scenario:

The goal:

┏━━━━━━━━━━━┓ ┏━━━━━━━━━━┓ ┃ ┠─198.51.100.37───────────┬─192.0.2.173─┨ Branch ┃ LAN ┃ ┃ │ ┆ ┃ office 1 ┠─10.0.6.0/24 ┃ ┃ │ ┌╌╌╌╌╌╌╌╌╌╌╌╌┘ ┃ (EdgeOS) ┃ LAN ┃ Central ┃ │ ┆ ┗━━━━━━━━━━┛ 10.0.0.0/24 ─┨ office ┃ │ ┆ ┃ (pfSense) ┃ │ ┆ ┏━━━━━━━━━━┓ ┃ ┃ └───────────────┬─192.0.2.208─┨ Branch ┃ LAN ┃ ┃ ┆ ┆ ┃ office 2 ┠─10.0.99.0/24 ┃ ┠─203.0.113.204╌╌╌╌╌╌╌╌╌╌╌┘ ┃ (EdgeOS) ┃ ┗━━━━━━━━━━━┛ ┗━━━━━━━━━━┛

Both pfSense and EdgeOS use strongSwan for IPsec (IKEv2).

On the central office pfSense box:

On the branch office EdgeRouters:

ubnt@branch-office:~$ configure
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 authentication mode pre-shared-secret
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 authentication pre-shared-secret *************************
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 connection-type initiate
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 ike-group FOO0
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 ikev2-reauth inherit
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 local-address 192.0.2.173
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 tunnel 1 allow-nat-networks disable
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 tunnel 1 allow-public-networks disable
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 tunnel 1 esp-group FOO0
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 tunnel 1 local prefix 10.0.6.0/24
ubnt@branch-office# set vpn ipsec site-to-site peer 198.51.100.37,203.0.113.204 tunnel 1 remote prefix 10.0.0.0/24
ubnt@branch-office# commit
ubnt@branch-office# save

With this setup, VPN failover occurs automatically, though not always instantly. Failover takes somewhere between a couple seconds and ten minutes after pfSense downs the primary interface in the gateway group. I’m not sure what accounts for the delay.

The only bit of weirdness I’ve noticed is that the EdgeRouter web GUI’s “Config Tree” gets confused about having two addresses in “vpn → ipsec → site-to-site → peer”, but this doesn’t seem to actually hurt anything.

As of this writing, the branch office EdgeRouters run EdgeOS 2.0.8, which includes strongSwan 5.6.3. The central office box runs pfSense 2.4.4-RELEASE-p3, which includes strongSwan 5.7.1.

I’d feel more confident about this setup if StrongSwan included the right=x.x.x.x,y.y.y.y syntax among their numerous configuration examples. I asked about it on the strongSwan IRC channel, but didn’t get any replies.

#vpn #pfsense #edgeos

⬅ Older Post Newer Post ➡