System Routes vs. VPN Kernel Routes - pfsense v2.2.6

  • Hi All,

    I have a scenario where one of our customers want’s automatic failover between a layer-2 circuit (primary) and VPN tunnel between us - the destination subnet will be the same.

    Configuring a target gateway and static route in menu System -> Routing is possible does not override the IPSEC VPN tunnel.  It appears that once StrongSwan has done it’s thing and created the SA’s between our endpoint and the customers – the IPSEC routes take precedence over System routing.

    Is there a way to reverse this order of precedence or to automate disabling VPN tunnel if remote IP gateway is available and enabling if the remote IP gateway becomes unavailable.

    In more commercial routing/firewall scenarios this is known as IPSLA.

    Kind regards,


  • LAYER 8 Global Moderator

    Sounds like your trying to reinvent the wheel here, why does normal multiwan failover not work for your scenario?

  • I believe he's talking about regular routing between subnets, not multi-WAN.

    As you mentioned, the SAs take precedence over the system routing table.

    The only way (I can think of) to achieve failover would be to setup a GRE tunnel over IPsec transport mode. That way, you can handle the routing yourself, for example with OSPF. The IPsec tunnel would always be active but regular routes would be in charge of choosing the path

  • LAYER 8 Global Moderator

    Sure seems like multiwan, one is his primary his layer 2 primary circuit to get somewhere and other is a vpn connection to that somewhere over an internet connection I would assume.

    So just treat it like 2 wan connections.