IPsec Multi-Wan Failover Pfsense 2.1



  • Hello,

    I want to do Multi-Wan Failover with Ipsec. I searched but i cant find an usefull thing. I need your help.

    We have main and branch offices. Every office have 2 wan networks.

    Main Office:

    Wan A
    Wan B

    Branch Office

    Wan C
    Wan D

    We have 2 ipsec connection both offices.

    1. Wan A > Wan C (Online)
    2. Wan B > Wan D (Offline Backup Manually)

    I want that when 1. ipsec is down than automatically 2. ipsec connection have to be active.

    How can i do this? Or Is there any other path i can do?

    Best Regards.



  • A. Current version is 2.3.2, get your system updated.
    B. No way to switch both sides automatically.



  • Thank you for your answer.

    I will update soon.

    2 wan ipsec failover can not be done correctly, right?

    Do you have any suggestion about failover for this system?



  • One side can be done with a dyndns target, see here:
    https://forum.pfsense.org/index.php?topic=58784.0
    You could try to work up something with GRE tunnels and a routing package, but you're on your own there.
    It's not automatic, but you can keep the second tunnel disabled, and have a monitoring system alert you so you can manually switch to the backup tunnel.



  • Thank you. :)



  • Cem,

    I know you emailed me privately, but I figured since you also posted here I would reply again on the public forum in case others would benefit from the discussion. As I said in my private email, I highly suggest you try OpenVPN if you are dealing with multi-wan (and maybe dynamic IPs?).  It is just more suited to your task than IPSEC at this point.  If you must use IPSEC then as dotdash mentioned, you can use a DynDNS-type service tied to a gateway group so that your endpoints will get updated automatically if one link goes down.  Keep in mind that even if your DNS provider allows for very short TTL's (5 minutes is basically the practical lower limit) you will have some downtime before this failover happens until DNS propagates and adjusts.  It could be anywhere from 1-10 minutes.  I have done this and yes it does work but it is not ideal and sometimes a simple alert & manual intervention can be faster.

    Good luck (kolay gelsin) ;)


Log in to reply