Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    GRE tunnels over IPSEC, changing routing for failover?

    IPsec
    2
    3
    598
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bobkoure
      last edited by

      Two sites, two ISPs per site. Four IPSEC tunnels between the two (using out-of-LAN-range IPs for endpoints). Four GRE tunnels (one over each IPSEC tunnel). All up at the same time, but if any ISP went down, traffic was routed to the two tunnels using the other ISP.
      I had this working on a pair of Snapgear firewalls between sites (used some magic code I got from the SG forum). It was quite reliable but once there'd been a failover, when the failed ISP came back up I had to switch things back manually (which was fine - I mostly need things to stay up overnight)

      Now we've got pfSense boxes on both ends. Is this the way to manage GRE tunnels over ISPs that sometimes go down - or is there a better way? For instance, is there any way I might use Gateway Groups to do this? Something else pfSense can do? I'm still learning this firewall...

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        GRE over IPsec can work but it has some major issues with pf not seeing all the traffic in every direction.

        Routed IPsec (VTI) is the best way to do this on 2.4.4 and later. It lets you use a routing protocol without having to involve transport mode or other encapsulation like GRE.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • B
          bobkoure
          last edited by bobkoure

          pfSense has VTI mode IPSEC - how cool is that?
          I'm off to play with some test boxes... :-)
          For anyone else reading this thread, I found docs here

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.