IPSEC Tunnel Failover [$200]



  • For those of us not running BGP, it would be nice to be able to failover our IPSEC Tunnels.  I have attached (below) and example network.

    Basically, lets say you have a corporate datacenter.  Then you have several remote satellite offices that connect into the corporate datacenter with IPSEC.  For redundancy we have two Internet connections at the corporate datacenter.

    What we would like is to have IPSEC tunnels from our satellite offices to our corporate datacenter, that if the main Internet connection at the corporate datacenter goes down that the satellite office PFSense boxes re-establish an IPSEC tunnel via a failover IP that would be the IP of the 2nd Internet connection at the corporate datacenter.

    In a basic way we need an automatic failover mechanism that switches to a 2nd IPSEC configuration when the first one fails.  Also, when the first IPSEC has failed and the 2nd IPSEC is being used, it would be nice if there was an automatic polling mechanism to check to see if the primary connection is working again and then switch back.  This would save us from having to login to 3 dozen locations and manually switch them back.

    Think of this as something like Primary and Secondary DNS entries.

    I imagine that there should be a lot of people who want this and the contribution should grow rather large (I hope).  Hopefully this is possible.

    P.S.  I don't know of any firewalls in production today that do this and it would be very neat to have PFSense do something that no others are doing.  Especially such a critical feature!

    Thank You



  • I know this is already possible with Cisco devices and GRE tunnels with a routing protocol. 1.3 is supposed to have support for GRE tunnels so it will be possible to do in 1.3 with a routing protocol across those tunnels. I'm not sure of other methods to currently accomplish it.

    You may be able to create a failover pool and use policy based routing to send the IPsec traffic from the datacenter to the remote sites using the pool. You would use the remote sites to host the IPsec and have the datacenter as a mobile client.


Log in to reply