Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    System Routes vs. VPN Kernel Routes - pfsense v2.2.6

    Routing and Multi WAN
    3
    4
    797
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      relfie last edited by

      Hi All,

      I have a scenario where one of our customers want’s automatic failover between a layer-2 circuit (primary) and VPN tunnel between us - the destination subnet will be the same.

      Configuring a target gateway and static route in menu System -> Routing is possible does not override the IPSEC VPN tunnel.  It appears that once StrongSwan has done it’s thing and created the SA’s between our endpoint and the customers – the IPSEC routes take precedence over System routing.

      Is there a way to reverse this order of precedence or to automate disabling VPN tunnel if remote IP gateway is available and enabling if the remote IP gateway becomes unavailable.

      In more commercial routing/firewall scenarios this is known as IPSLA.

      Kind regards,

      Mark

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Sounds like your trying to reinvent the wheel here, why does normal multiwan failover not work for your scenario?

        https://doc.pfsense.org/index.php/Multi-WAN

        1 Reply Last reply Reply Quote 0
        • G
          georgeman last edited by

          I believe he's talking about regular routing between subnets, not multi-WAN.

          As you mentioned, the SAs take precedence over the system routing table.

          The only way (I can think of) to achieve failover would be to setup a GRE tunnel over IPsec transport mode. That way, you can handle the routing yourself, for example with OSPF. The IPsec tunnel would always be active but regular routes would be in charge of choosing the path

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            Sure seems like multiwan, one is his primary his layer 2 primary circuit to get somewhere and other is a vpn connection to that somewhere over an internet connection I would assume.

            So just treat it like 2 wan connections.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy