Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    MPLS ipSec Failover Confusion

    Routing and Multi WAN
    2
    5
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kantlivelong
      last edited by

      Hello All!

      I cannot for the life of me seem to figure out how to set this up. I'm running pfSense 2.0-RELEASE (been using 2.0 since betas). Basically we have our pfSense router as the primary gateway. We then have another router on the same lan that handles MPLS. In the event that the MPLS link is down id like to connect to the concentrator via ipSec VPN. I cannot seem to figure out how to do the failover for this.

      pfSense LAN IP: 192.168.1.1/24
      MPLS Router IP: 192.168.1.2/24

      I've configured an ipsec VPN for 192.168.2.0/24 on the pfsense box to the concentrator.

      How do i route traffic going to 192.168.2.0/24 through ipsec only on mpls failure?

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        Does the flow go like "computer -> pfsense -> MPLS -> Internet"? If you just need to create a route, then go to System -> Routing and setup a Gateway, then a route using the new gateway.  It could be that you need to have a dedicated machine behind the VPN so that you can connect to it and then access the concentrator.

        Generally I would think your route would go Computer -> VPN server -> pfsense -> internet. This way the VPNed connections would get rerouted based on the VPNs connected and then all the rest of the traffic would be sent on to be routed by pfsense.

        You could also create routes on pfsense to forward all private lans (except for you LAN) on to the VPN. as only private traffic would be going to VPNs.

        Nothing would be auto in a failure though. I don't really know a way to do that either.

        1 Reply Last reply Reply Quote 0
        • K
          kantlivelong
          last edited by

          Thanks for the reply!

          Normal VPN operation:
          Computer -> pfSense -> MPLS Router -> MPLS CLOUD

          Failover VPN operation:
          Computer -> pfSense -> WAN2 -> ipSec Tunnel -> MPLS CLOUD

          Internet would be handles by regular WAN1/WAN2 failover.

          Heres a cheesy 5 min diagram in mspaint:
          RED=Normal
          ORG=Failover

          http://img823.imageshack.us/img823/2064/vpnfailover.png

          1 Reply Last reply Reply Quote 0
          • P
            podilarius
            last edited by

            I dont' know of a auto-failover but you could use openvpn and have a disabled site-site vpn. In the even of a failure, you would have to manually change the routes to use VPN and not the MPLS. Same on the other side of the VPN. That is all I can offer though.

            1 Reply Last reply Reply Quote 0
            • K
              kantlivelong
              last edited by

              I tried policy based routing which worked on failure but never switched back :/

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.