gateway routing through 2 ipsec tunnel protocol based



  • Hello, before all sorry about my english.
    i have 2 pfsense server on 2 different location linked with 2 links(main and backup) between pfsense a have naked vpn ipsec tunnels

    subnet site A: behind PfsenseA < IPsec_tunel1(mail link10mbps) > PfSense B Subnet siteB
    172.32.1.0/24 to 172.16.1.0/24
    172.31.1.0/24 to 172.20.20.0/24
    subnet site A: behind PfsenseA < IPsec_tunel2(slow link2mbps)> PfSense B Subnet siteB
    192.168.135.0/24 to 10.10.10.0/24
    X toY subnet
    because security reason the ipsec tunnel most be exist over any link, them in some situation a have to manually add or modify phase2 entries to make routing through specific link main or slow depending, my question is.. can make routing using gateway specific to pass some specific traffic protocol based, for example smtp traffic route through tunnel over slow link and web surf on main link..?? or the better way is create only one ipsec tunnel using gateway group?? in the last case our interest are use both links to pass some protocol based traffic over it.


  • Rebel Alliance Developer Netgate

    @luisenrique said in gateway routing through 2 ipsec tunnel protocol based:

    because security reason the ipsec tunnel most be exist over any link, them in some situation a have to manually add or modify phase2 entries to make routing through specific link main or slow depending, my question is.. can make routing using gateway specific to pass some specific traffic protocol based, for example smtp traffic route through tunnel over slow link and web surf on main link..?? or the better way is create only one ipsec tunnel using gateway group?? in the last case our interest are use both links to pass some protocol based traffic over it.

    That is not currently possible with any released version of pfSense. That said, on version 2.4.4 currently under development we have a new feature for routed IPsec that can support policy routing like you describe. It isn't 100% solid/stable yet, so I wouldn't roll it out in production without testing first, but it will be available in a stable release in a couple months.

    The only catch is that both sides must support routed IPsec, but since both sides are pfSense that should not be a problem for you.



  • @jimp that's good news! I'm have researched looking for an solution and become here to post as last resort(because my english writing), fine both side are pfSense i'm happy to use it. While i will keep routing policy by hand a way statistically by adding hosts or networks according my needs. regards