Pfsense IPSEC tunnel to redundant endpoints

  • Hello,
    I have a pfsense 2.4.2 with single wan.
    The remote IPSEC gw has two ipsec endpoints for failover (with 2 different ISPs).
    So, the ipsec failover is not on pfsense side, but on the other side, in form of active / standby.

    I defined two "parallel" ipsec tunnels , with same properties and Phase 2 entries. The only difference is the remote peer IP address of course.
    Both tunnels are established , and the traffic work .
    However. I see the P2 entry is built over the first tunnel which I defined, though it is defined as the backup tunnel on the remote gateway.
    I have not found documentation about this topic, so my question is: is it a known behaviour of openswan ?
    I would like to know whether traffic will work even in case of remote endpoint failure, and of course ask customer to disconnect one ISP for testing is not an option.

    Thanks in advance

  • Hi!

    I was looking at the same thing. We have a Sonicwall NSA3600 which has 2 WAN IP, and a pfsense having 1 WAN. We want the PFsense to connect to the 2 remote Gateway, for failover.

    I will create the second subnet and do the test. We have to plan a maintenance so I will disconnect WAN 1 and see if WAN 2 tunnel goes up.

  • Sorry for delay!

    So I tested it on my end, the 2 tunnel goes up, but if I unplug one of my remote WAN port, the tunnel doesn'T switch to the other one (even if the tunnel is up…)

    I configure the DPD (dead peer detection), 5 sec for 5 poll, to disconnect the tunnel, it doesn't work... I am not sure if it is possible..

    I guess the only way would be to setup a DynDNS or NO-IP on the remote firewall so they can update the IP between the active ISP. But IMO, it is not a good solution for a large enterprise, as in my experience, for me, SOnicwall and DynDNS is scrap, no-ip works okay but I do prefer using a direct IP

Log in to reply