Highly available IPSEC VPN

Does your company have multiple sites needing serious up-time on both Internet and VPN?  If so then you need PFSense and a DYNDNS provider.  Why?  Let me explain…

PFSense is a router / firewall and in our opinion one of the best.  It’s free, Open Source and has reasonable pay for support options.  You can also donate to the project in many ways from buying swag, books, buy a support package, contribute code, create plugins, voice your opinions, request features or donate.

Our version of PFSense has special security related configurations we tweak out of the box to secure your network, your users and your data and depending on the need for site to site connectivity and up-time, we also tweak it for high availability.

PFSense is enterprise class and business class.  Most routers that I’ve had experience with can do IPSEC VPN.  The technology has been around for ages.  VPN’s are “Virtual Private Networks”, you hear about them in the news lately when it comes to surfing the web with anonymity however, businesses use VPN’s to connect sites so they can safely conduct business.  Businesses might also give traveling staff VPN “clients” which can connect their staff to the network as though they were there and access local company resources securely.

So what if your Internet connections goes down?  That will obviously break the connectivity of your sites and users but what if you had two Internet connections for redundancy?  The likelihood of your Internet ever going “down” is diminished. What about the VPN connection?

Most VPN connections aren’t redundant nor do they fail over.  Even large corporations struggle with this.  Why?  Because most router vendors don’t allow you to use a host name in the connection settings.  They still only allow you to put an IP address in.  Using a host name like “myfirewall.mybusiness.com” is far more flexible and allows you to then make your connectivity “dynamic”.

You might be asking yourself…what does this person mean?  What are they talking about?  Let me break it down.

Lets assume I have two Internet connections.  One from Comcast and one from Verizon.  Those addresses might be:

Comcast:  11.12.13.14
Verizon:  1.2.3.4

If I say for example:

My router at IP address:  11.12.13.14 & 1.2.3.4 VPN connects to my other remote site at 20.21.22.23.

How does it do this?  Well every router has a “default gateway”…think about it like a room with more than one door.  How many doors can you go out at the same time?  Of course…one!  The same principle exists here in our example.  There is always a “default gateway”…a way out of the room, a doorway that all traffic flows in and out of.  Now…sure, for you uber technical folks you can split traffic, have multi-path, etc but bear with me as that’s not the purpose of this discussion!

So now our router looks like this:

11.12.13.14 (default gateway) –> All traffic out <–> VPN <– remote site 20.21.22.23
1.2.3.4 (fail over address)

We should now see how MOST routers are setup.  They use IP addresses…but what if the default gateway changes and the Comcast goes down?  Assume a big truck hits the pole the Comcast line is hanging on…that’s happened!  Now what?

11.12.13.14 (default gateway) –> All traffic out <–> VPN <– remote site 20.21.22.23
1.2.3.4 (fail over address) –> All traffic out <–>  VPN <– remote site won’t connect…a mismatch IP address or 11.12.13.14 is “down”

The “fail over address” still gets your organization Internet…great but what about that VPN?  Again…most router vendors only let you use an IP address in the connection fields and not fully qualified domain names (host names: myfirewall.mybusiness.com).  It gets technical but know that in the above scenario the VPN would “break” and be “down” even though your Internet is still “up”…the Internet works but your other site over VPN will be unavailable.

So how do we overcome this problem?  That’s right…FQDN, Fully Qualified Domain Name, host names…myfirewall.mybusiness.com.  What PFSense does is this:

  1. Allows you to use FQDN’s in the connection field for IPSEC VPN Setup
  2. You can then use a DYNDNS provider (Dynamic DNS Provider like afraid.org) that gets updated when your gateway goes “down”
  3. You configure “gateway switching” on your PFSense allowing your gateway to fail over and “switch” if one goes out or has problems
  4. You then configure a “cron” job, like a scheduled task that checks in with your DYNDNS provider and if your gateway changes…it will be notified, upon notification…your record is updated.
  5. When the record gets updated, so does your IPSEC VPN target.

With the above 5 steps put in place things now look like this:

myfirewall.mycompany.com (11.12.13.14 – default gateway) (1.2.3.4 – fail over address) –> All traffic out <–> VPN <– remotesite.mycompany.com (remote site 20.21.22.23)

Notice…what we’re connecting to ARE NAMES…not IP addresses.  This is the power!  myfirewall.mycompany.com can now be one of two IP addresses.

What happens when the “default gateway” goes down in this scenario?

myfirewall.mycompany.com (11.12.13.14 – default gateway) (1.2.3.4 – fail over address) –> All traffic out <–> VPN <– remotesite.mycompany.com (remote site 20.21.22.23)

Nothing…the “gateway switching” kicks in just like in our last IP address only scenario…Internet is still “up” however, in this scenario our VPN tunnels are configured with domain names (myfirewall.mycompany.com & remotesite.mycompany.com) and not IP addresses.  On a gateway failure our name for myfirewall.mycompany.com which was 11.12.13.14 is now updated via our DYNDNS provider on the Internet and dynamically changed to now be myfirewall.mycompany.com is now 1.2.3.4.

The VPN goes “down” only for a moment as it attempts to reconnect to “myfirewall.mycompany.com” which now resolves via DNS to 1.2.3.4 to the backup Verizon Internet.  Not only do your sites still work but your mobile remote workers also connect using the host name and they too are updated on the new IP address by using myfirewall.mycompany.com and they too are running as usual…as though nothing happened.  In fact, most people don’t know they’re experiencing an outage…it just works!

What happens then when we lose one of our connections if we use fully qualified domain names to connect our VPN’s…oh my…NOTHING!  Both Internet and VPN are still up even on a failure of one Internet connection!

Think about this for a moment.

What if BOTH sites…your corporate office AND your remote site had redundant Internet connections with this configuration?  Amazing things happen called “high availability”.  We can take things to the next level past this if you can believe it by also putting in redundant firewalls.  This particular scenario didn’t call for redundant firewalls (2, 3 or more) but it’s all possible with PFSense!

 

If you need assistance improving up-time or anything needing sophisticated engineering talent look to EITS!  We can make your systems highly available like we did for a recent client.

800-864-9497

Comments or questions are welcome.

* indicates required field

Leave a Reply

Your email address will not be published. Required fields are marked *