Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC VTI (or Tunnel mode) where one end has 2 WAN and the other has 1 WAN

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 233 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • shepradorS
      sheprador
      last edited by sheprador

      Hello,
      I've read - here and in the pfSense docs - that you cannot have more than one IPsec phase 1 pointing to the same remote gateway.
      Since in the past I have done this quite easily with other types of firewalls (Fortigate and Sophos), I'm wondering if there is a way to obtain the same result also with pfSense

      Network.png

      I've tried some configuration:
      1) Using IPsec in tunnel mode with a gateway group as interface
      On SITE A I've set the INTERFACE field to a failover gateway group
      and on site B I've set up 2 separate Phase1-Phase2 couples, one for every WAN on remote site.
      It seems to work, somewhat. When I disconnect WAN 1 it takes some some minutes (not measured how many) to reconnect.

      2) Tried with VTI mode IPsec
      This is how I made it with the other types of firewalls (Fortigate and Sophos)
      With a couple of Sophos on site A and pfSense's on site B I'm currently using a config which is exactly the same as in the picture, and the links from site A and site B are always on (as phase 1)

      I stopped with VTI mode when I didn't figure out how to tell site A to have a Phase 1 with the same remote firewall on site B

      Thanks

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.