Dual IPSec Tunnels with failover and routing problem


  • Hi,

    I am trying to setup a VPN connection that uses 2 IPSec tunnels to seperate geological locations and which provides failover for traffic to the remote network (see attachment with xxx.xxx.xxx.xxx being the public internet IP of the pfSense box and - not seen -  the subnet NATed to the server at 192.168.10.25).

    The tunnels themselves are defined and come up / stay stable but I am hitting my forehead on the deak to get the routing working in pfSense (2.3.2).

    I tried defining 2 Gateways (but could not select IPSec as interface)  put them in a failover group and wanted to add a static route but as the endpoint is the same for both it would not let me enter the second route.

    What I try to do would look like this on Linux (using StrongSwan for IPSec with vti0 / vti1 being the interfaces of the tunnels) :

    ip route add 172.16.199.192/30 dev vti0 table 220
    ip route add 10.131.208.0/24 dev vti0 table 220 metric 10
    
    ip route add 172.16.199.196/30 dev vti1 table 220
    ip route add 10.131.208.0/24 dev vti1 table 220 metric 20
    
    iptables -t nat -A PREROUTING -s 10.131.208.0/24 -d 172.16.199.200/29 -j DNAT --to-destination 192.168.10.25
    iptables -t nat -A POSTROUTING -d 10.131.208.0/24 -j SNAT --to-source 172.16.199.200/29
    

    Any pointers highly appreciated.
    ![Netzplan- ATLAS.png](/public/imported_attachments/1/Netzplan- ATLAS.png)
    ![Netzplan- ATLAS.png_thumb](/public/imported_attachments/1/Netzplan- ATLAS.png_thumb)


  • Your scenario is very similar to mine.

    I have two tunnels going, the first tunnel is working as a charm but, the second tunnel not so much.
    I am trying to pass traffic as indicated by the pfSense book but it is not working.
    The idea of the tunnel is to pass traffic to reach networks on the other side of the tunnel but, in pfSense there is no way to direct traffic to the tunnel as per the book; it is built in the BSD kernel.

    Still looking for a solution but it seems the forum is quite.


  • It can be done, but it is a bit more complicated than that. Regular IPsec cannot be managed through the regular routes.

    You could setup GRE tunnels over IPsec transport mode between the public IPs. Then use a routing protocol (like RIP or OSPF) to actually handle the routing and failover