Does anyone have an experience or know of an open source solution for configuring HA Site to Site VPN's? I have 3 locations to interconnect and have been labbing solutions but I can't find one that works without either loss or substantial downtime as the tunnel re-establishes. Layout is 2 PFSense boxes(running ht latest 2.5.2 release) in a CARP pair in each location using OpenVPN for the Site to Site worked but started to drop packets once we passed traffic through it (using iperf, it's maxing out at about 40 Mbps). I swapped the pfsense configs over to using IPSEC and that passed a full gig with no loss but while failover testing, there's a substantial delay in the tunnel re-establishing when the Master PFSense in the IPSEC responder roll drops and the Backup takes over as responder. IPSEC DPD settings in PFSense reflect in the strongswan config but aren't honored so it doesn't matter how low I set those.
At this point I'm thinking I'll have to go with either OpenVPN, StrongSwan or some other VPN server installed solo (straight to whatever OS flavor fits them best) and combine with some sort of vrrp/heatbeat/keepalived solution? which I'm willing to do but I figured I'd reach out to the masses first before I go that route and accept all the pain and headache that comes with it.
Also posted specifics and a diagram of my lab setup with 2 sites: https://www.reddit.com/r/PFSENSE/comments/oo6klq/help_needed_pfsense_carp_ipsec_vpn_lab_setup/
No comments:
Post a Comment