Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Will "duplicated" IPsec tunnel work as failover ?

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 726 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      B_IT
      last edited by

      I have a multi-WAN question for you. Maybe someone has worked on such setup like this or maybe my idea is die on the vine.
      I have two locations, both have two WAN connections.

      Is it possible to create two IPsec tunnels this way?
      IPSEC connection 1
      WAN 1 location A --------- IPSEC ------------ WAN 1 location B
      P2 10.10.10.0/24 ---------------------------- P2 192.168.168.0/24

      IPSEC connection 2
      WAN 2 location A --------- IPSEC ------------ WAN 2 location B
      P2 10.10.10.0/24 ---------------------------- P2 192.168.168.0/24

      Does anyone have experience of such organized connections ?
      if so what will happen in case of loss of e.g. WAN 1 connection ? Will second tunnel work as a failover in this case ? Will such a configuration in pfsense work OOTB?

      I saw that some of you are using Routed VTI and BGP, but I am trying to avoid additional complexicity.

      I will be grateful for your answers.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You cannot have the same P2 source+destination combinations on more than one tunnel. Only the first one loaded will work. You cannot do failover that way.

        You have two choices:

        1: Setup Dynamic DNS on the remote set to use a gateway group, have the tunnel use the same group, and then use the hostname as the remote address. When the remote experiences a failure it will update its hostname in DNS and then the other end will follow it. This works, but can be extremely slow since it relies on DNS (e.g. 5-10 minutes to failover)

        2: Nail up two VTI tunnels, one for each WAN, and setup BGP to handle the routing and failover.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        luckman212L B 2 Replies Last reply Reply Quote 1
        • luckman212L
          luckman212 LAYER 8 @jimp
          last edited by luckman212

          Nail up two VTI tunnels, one for each WAN, and setup BGP

          Man that would be a killer howto/config guide example. What's the failover time like for a setup like that? Is it a few seconds, a minute..?

          edit: I found what looks like a pretty decent guide (not authored by Netgate, however)

          1 Reply Last reply Reply Quote 0
          • B
            B_IT @jimp
            last edited by

            @jimp Thank you for your clarification. You saved me time on testing this. I guess I have to try a more difficult way.
            @luckman212 I found the same tutorial, it looks like it describes pretty much the steps we need to go through to set up dual-wan.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.