Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dual IPSec Tunnels with failover and routing problem

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hellfleck
      last edited by

      Hi,

      I am trying to setup a VPN connection that uses 2 IPSec tunnels to seperate geological locations and which provides failover for traffic to the remote network (see attachment with xxx.xxx.xxx.xxx being the public internet IP of the pfSense box and - not seen -  the subnet NATed to the server at 192.168.10.25).

      The tunnels themselves are defined and come up / stay stable but I am hitting my forehead on the deak to get the routing working in pfSense (2.3.2).

      I tried defining 2 Gateways (but could not select IPSec as interface)  put them in a failover group and wanted to add a static route but as the endpoint is the same for both it would not let me enter the second route.

      What I try to do would look like this on Linux (using StrongSwan for IPSec with vti0 / vti1 being the interfaces of the tunnels) :

      ip route add 172.16.199.192/30 dev vti0 table 220
ip route add 10.131.208.0/24 dev vti0 table 220 metric 10

ip route add 172.16.199.196/30 dev vti1 table 220
ip route add 10.131.208.0/24 dev vti1 table 220 metric 20

iptables -t nat -A PREROUTING -s 10.131.208.0/24 -d 172.16.199.200/29 -j DNAT --to-destination 192.168.10.25
iptables -t nat -A POSTROUTING -d 10.131.208.0/24 -j SNAT --to-source 172.16.199.200/29

      Any pointers highly appreciated.
      ![Netzplan- ATLAS.png](/public/imported_attachments/1/Netzplan- ATLAS.png)
      ![Netzplan- ATLAS.png_thumb](/public/imported_attachments/1/Netzplan- ATLAS.png_thumb)
      ipsec.png
      ipsec.png_thumb

      1 Reply Last reply Reply Quote 0
      • 0
        00Bits11
        last edited by

        Your scenario is very similar to mine.

        I have two tunnels going, the first tunnel is working as a charm but, the second tunnel not so much.
        I am trying to pass traffic as indicated by the pfSense book but it is not working.
        The idea of the tunnel is to pass traffic to reach networks on the other side of the tunnel but, in pfSense there is no way to direct traffic to the tunnel as per the book; it is built in the BSD kernel.

        Still looking for a solution but it seems the forum is quite.

        1 Reply Last reply Reply Quote 0
        • G
          georgeman
          last edited by

          It can be done, but it is a bit more complicated than that. Regular IPsec cannot be managed through the regular routes.

          You could setup GRE tunnels over IPsec transport mode between the public IPs. Then use a routing protocol (like RIP or OSPF) to actually handle the routing and failover

          If it ain't broke, you haven't tampered enough with it

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.