IPSEC as a Fallback for Directed Radio connection



  • Hi guys,
    i need to build kind a failover mechanism for a directed radio connection with IPSEC over the WAN Interface between a Juniper SSG and a pfSense.
    I build a test system with two pfSense Firewalls just to figure out how it principially should work but i am not really getting along with it.
    First i set up a WAN Connection on both pfsenses and specified two differing subnets on both pfsenses LAN Interfaces.
    After that i set up a direct Connection (with a cable, anyways the medium does not really matter) between OPT2 interfaces of both firewalls with an own small /29er Subnet and set up a static route to forward the traffic from both sites to each other.
    This is how far it is working for now.

    Then a tried to set up an IPSEC Connection to the same subnets and hoped the administrative distance would do what i need but everytime i connect the ipsec tunnel pfsense tries to route the traffic through the ipsec tunnel even if the direct connection ist up and the WAN connection which is used by IPSEC Tunnel is down. Only if i deactivate the whole IPSEC Tunnel on both sites traffic is flowing again through the direct connected interfaces.

    Am i missing something out?

    I've read in the forum that IPSEC Site-to-Site Tunnels are not using the firewalls routing table which could explain why it always prefers the IPSEC connection over the directly connected interfaces but what is the right approch to depict such a scenario? (If direct connection goes down, pfsense switches over the route to the IPSEC Tunnel)

    I read further in the forum and now i am trying to set it up with openvpn (to understand the principles) and it is neither working, although the Juniper is not able to do OpenVPN. I tried to set it up the connection in defferent ways (tun/tap device, tried to set up a virtual interface in the interface assignment section to use them in a 2 Tier gateway group and set up a static route with this on both sites) but i am not really getting along with it cause i don't really get how to configure the Virtual Interface (openvpns1 and openvpnc1) on both sites to work properly.

    Maybe anyone has done this before (i hope so, cause a vpn backup for a directed radio connection is not that unusual) and could provide some tips or even help.

    See picture below.

    It simply should use the direct connection in general and only should use the ipsec over WAN connection in a failure condition of the directed connection.