Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Gateway Group, Routed VTI IPSEC tunnels and failover

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 1.2k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      lc63
      last edited by

      Hello,

      I have two VPN tunnels, from the same network (AWS), to provide redundancy. The IPSEC connection (Routed VTI) on the pfSense side is functional for both tunnels.

      But for redundancy, I'd like to do automatic failover. I've defined a Gateway Group, bringing together the two IPSEC interfaces. I've specified this Gateway in my firewall rules. However, as soon as I remove the static route (defined for a single IPSEC interface, as I can't define two on the same network), the VPN network is no longer routed.

      Is it possible to do automatic failover with Gateway Group and Routed VTI IPSEC tunnels ?

      L 1 Reply Last reply Reply Quote 0
      • L Offline
        lc63 @lc63
        last edited by

        @lc63
        The answer seems to be no. I have switched to Policy-based mode for tunnels, which allows failover automatically.

        1 Reply Last reply Reply Quote 0
        • M Offline
          marcelosb
          last edited by

          Hi,

          Could you provide details on what you did? I have been trying to configure VTI gateway groups for a while with no success.

          L 1 Reply Last reply Reply Quote 0
          • L Offline
            lc63 @marcelosb
            last edited by lc63

            @marcelosb
            Hi,

            I have switched to Policy-based mode for tunnels. I gave up on the VTI mode.

            Policy-based mode concentrates traffic on a single interface, and is therefore less flexible. However, it does not require a static route and enables failover. It is configured as follows, in tunnel phase 2:

            For a tunnel between A (AWS for me) and B (pfsense gateway) :

            VPN > IPsec > Tunnels > P1 > Add P2
            Mode: IPv4 tunnel
            Local Network: <B private network>
            Remote Network: <A private network>

            In this mode, to manage failover, the DPD (Dead Peer Detection) option in phase 1 must be enabled. And, for examples, Delay = 3 and Max failures = 1.

            Routing is done at the tunnel level, which automatically pushes routes in this mode.

            Simply configure the firewall to allow incoming traffic from the A network to the B network.

            The firewall rules will be defined on the IPsec interface. In Policy-based mode, this interface groups the two tunnels together. This way, when one tunnel goes down, other tunnel is already authorized by the firewall.

            M 1 Reply Last reply Reply Quote 0
            • M Offline
              marcelosb @lc63
              last edited by

              @lc63 Thank you, appreciate it!

              So, in this topology, I would have two phase 1 tunnels with the same phase 2 networks, right? How would the pfsense know which one to use for the routing?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.