Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec Multi-Wan Failover Pfsense 2.1

    HA/CARP/VIPs
    3
    6
    5.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cem KIZIL
      last edited by

      Hello,

      I want to do Multi-Wan Failover with Ipsec. I searched but i cant find an usefull thing. I need your help.

      We have main and branch offices. Every office have 2 wan networks.

      Main Office:

      Wan A
      Wan B

      Branch Office

      Wan C
      Wan D

      We have 2 ipsec connection both offices.

      1. Wan A > Wan C (Online)
      2. Wan B > Wan D (Offline Backup Manually)

      I want that when 1. ipsec is down than automatically 2. ipsec connection have to be active.

      How can i do this? Or Is there any other path i can do?

      Best Regards.

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        A. Current version is 2.3.2, get your system updated.
        B. No way to switch both sides automatically.

        1 Reply Last reply Reply Quote 0
        • C
          Cem KIZIL
          last edited by

          Thank you for your answer.

          I will update soon.

          2 wan ipsec failover can not be done correctly, right?

          Do you have any suggestion about failover for this system?

          1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash
            last edited by

            One side can be done with a dyndns target, see here:
            https://forum.pfsense.org/index.php?topic=58784.0
            You could try to work up something with GRE tunnels and a routing package, but you're on your own there.
            It's not automatic, but you can keep the second tunnel disabled, and have a monitoring system alert you so you can manually switch to the backup tunnel.

            1 Reply Last reply Reply Quote 0
            • C
              Cem KIZIL
              last edited by

              Thank you. :)

              1 Reply Last reply Reply Quote 0
              • luckman212L
                luckman212 LAYER 8
                last edited by

                Cem,

                I know you emailed me privately, but I figured since you also posted here I would reply again on the public forum in case others would benefit from the discussion. As I said in my private email, I highly suggest you try OpenVPN if you are dealing with multi-wan (and maybe dynamic IPs?).  It is just more suited to your task than IPSEC at this point.  If you must use IPSEC then as dotdash mentioned, you can use a DynDNS-type service tied to a gateway group so that your endpoints will get updated automatically if one link goes down.  Keep in mind that even if your DNS provider allows for very short TTL's (5 minutes is basically the practical lower limit) you will have some downtime before this failover happens until DNS propagates and adjusts.  It could be anywhere from 1-10 minutes.  I have done this and yes it does work but it is not ideal and sometimes a simple alert & manual intervention can be faster.

                Good luck (kolay gelsin) ;)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.