[pfSense] Layer 2 and IPSec Priority
athompso at athompso.net
Tue Feb 28 15:29:00 EST 2012
There is a fairly obvious, yet complex, way to do this. The problem is that you now need three routers on each side: one each to handle IPSEC traffic over commodity-provider-X, one each to handle the dedicated L2 link, and one to be the default gateway and learn routes from the two border routers. If you already have a core router, it can be the third router – no need for it to be pfSense.
This can be simplified down to two routers on each end, but I don’t know of a way to accomplish IPSEC failover without using an L3 routing protocol to detect the failure. (OSPF should be possible, otherwise use iBGP with custom timers.) The fact that IPSEC processing happens before normal route processing means that it cannot all be done in one pfSense router at each end of the link.
Obviously, this is not a good solution for most people.
athompso at athompso.net
From: list-bounces at lists.pfsense.org [mailto:list-bounces at lists.pfsense.org] On Behalf Of Nicolas Bélan
Sent: Tuesday, February 28, 2012 9:54 AM
To: pfSense support and discussion
Subject: Re: [pfSense] Layer 2 and IPSec Priority
Your problem is frequent, and is not as simple as you may think.
>From a router point of view, IPSec routing is before "interface" routing, and it is not displayed in routing table.
So, a packet passing through the kernel is handled by IPSec stack.
If you have an IPSec policy (up or down) which match, the packet is sent through ipsec.
If not, it is sent through "classical" network.
If your IPSec link is down (but configured), the packet is not forwarded (sent to /dev/null).
1) You have to make good phase 2 policies in which you exclude Layer 2 traffic.
You may also try policy based routing on pfsense, to force a gateway (I used to make that). Google on that, there are many tutos on that cool feature.
2) On IPSec, you may use DPD (dead peer detection) and use the "ping" box to ensure ipsec continuous testing.
I have not found any way to have a backup IPSec link when a L2 link is down.
Le 21/02/2012 22:47, Ron Lemon a écrit :
I have a 2.0 and 1.3 pfSense firewall (one in each of 2 buildings) and these are joined via an IPSec link. We now have a layer 2 connection between them as well. If the IPSec link is disabled on both sides traffic traverses the Layer 2 link (which is good). So here is my questions.
1. How can I make some of the traffic (backups for example) always use the layer 2 link and never use the IPSec link (layer 2 has no usage counter, IPSec does). This would also mean both sets of traffic would flow faster because of no competition from the other data. It seems the IPSec link has a higher priority than the layer 2 that I can’t seem to find or alter.
2. If only one side of the IPSec tunnel goes down the traffic coming from the side that is up still tries (unsuccessfully) to use the IPSec link. Traffic on the side with the failed or disabled IPSec link correctly goes to the layer 2 link (how can I get both sides to recognize the link is down)? Right now if my WAN link on one side fails I can send traffic from this site to the other but not the reverse.
I am guessing both answers are probably fairly obvious which is why I can’t see them for looking.
List mailing list
List at lists.pfsense.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the List