IPsec in High Availability Environments

IPsec is capable of supporting high availability environments on pfSense® software.

CARP VIP as IPsec Endpoint

CARP type virtual IP addresses are available in the Interface drop-down menu on IPsec phase 1 configuration entries. In high availability environments, an appropriate CARP address must be chosen for the WAN where the IPsec tunnel will terminate.

Using a CARP VIP address ensures that the IPsec tunnel will be handled by the High Availability cluster member currently in MASTER state. Even if the primary node is down, the tunnel will connect to whichever cluster member has taken over the MASTER role.

XMLRPC Configuration Synchronization

The IPsec configuration, static routes (for route-based IPsec), and other similar settings will synchronize via XMLRPC if those functions are enabled on the node.

Warning

When using routed IPsec (VTI) with HA, the interface assignment for the ipsecX interface must be performed separately on both nodes. As with all other interfaces in a cluster they must be assigned in identical order.

Initiation Caveats

If the cluster attempts to automatically initiate a tunnel, the cluster member in a BACKUP state may still transmit a message which may confuse the remote peer. pfSense software attempts to minimize the chances of this happening by dynamically setting nodes in BACKUP state to responder only as well as disabling keep alive functions. When a node switches to MASTER status these features are re-enabled.

During failover the far end of a tunnel may have to wait until it fully times out before it will rebuild the tunnel to the active cluster member. This process can take several minutes depending on tunnel configuration options (i.e. DPD). This may be faster if the cluster initiates, but depends upon the configuration, environment, and what triggered the failover.

Note

Additional workarounds are present on pfSense® Plus software version 22.01 and CE version 2.6.0. On older versions it was easier for the backup node to unintentionally initiate the tunnel before it could be used which delayed failover.