IPsec in High Availability Environments¶
IPsec is capable of supporting high availability environments on pfSense® software.
CARP VIP as IPsec Endpoint¶
CARP type virtual IP addresses are available in the Interface drop-down menu on IPsec phase 1 configuration entries. In high availability environments, choose an appropriate CARP VIP address for the WAN where the IPsec tunnel will terminate.
Using a CARP VIP address ensures that the IPsec tunnel will be handled by the currently active High Availability cluster member. Even if the primary node is down, the tunnel will connect to whichever cluster member has taken over the active role.
XMLRPC Configuration Synchronization¶
The IPsec configuration, static routes (for route-based IPsec), and other similar settings will synchronize via XMLRPC if those functions are enabled on the node.
Warning
When using routed IPsec (VTI) with HA, the interface assignment for the
ipsecX
interface must be performed separately on both nodes. As with all
other interfaces in a cluster they must be assigned in identical order.
Initiation Caveats¶
If the cluster attempts to automatically initiate a tunnel, the cluster member in a backup state may still transmit a message which may confuse the remote peer. pfSense software attempts to minimize the chances of this happening by dynamically setting nodes in a backup state to act as a responder only as well as disabling keep alive functions. When a node becomes active it re-enables these features.
During failover the far end of a tunnel may have to wait until it fully times out before it will rebuild the tunnel to the active cluster member. This process can take several minutes depending on tunnel configuration options (i.e. DPD). This may be faster if the cluster initiates, but depends upon the configuration, environment, and what triggered the failover.
Note
Additional workarounds are present on pfSense® Plus software version 22.01 and CE version 2.6.0. On older versions it was easier for the backup node to unintentionally initiate the tunnel before it could be used which delayed failover.