2 IPsec tunnels, matching Phase 2 policies -- how to choose default tunnel

  • Hi,

    My pfSense deployment involves two IPsec tunnels from our HQ to two VPN endpoints in different regions. From each regional endpoint, traffic may flow to the destination network, We have our BGP routing set up such that the preferred tunnel (left side of diagram below, from pfSense-a to pfSense-us-west) has routing priority. (We are using the FRR routing package.)

    The preferred and backup tunnels each have a matching Phase 2 entry that looks like this:
    src =, dst =

    Even though the routing table indicates that the preferred tunnel should be used, we find that traffic sometimes uses the backup tunnel for egress, somehow giving Phase 2 entries priority over routing preference. Is there any way to have matching Phase 2 entries for two tunnels but to always have the preferred tunnel used when available?



                                                  My Team
                                         |       pfSense-a         |
                     PREFERRED TUNNEL    |                         |     BACKUP TUNNEL
                        IPsec Tunnel            |        |               IPsec Tunnel
                  +-----------------------------+        +-------------------------------+
                  |                                                                      |
        +----------------------+                                             +---------------------+
        |  pfSense-us-west     |                                             |    pfSense-us-east  |
        +---------+------------+                                             +------------+--------+
                  |                                                                       |
                  +-------------------------------+      +--------------------------------+
                          IPsec Tunnel            |      |               IPsec Tunnel
                                            |  StagingEnv       |
                                            |     |

  • Rebel Alliance Developer Netgate

    That won't work with tunneled IPsec. Whatever P2 matches first will grab the traffic, and the other will never match. It can't make decisions like that.

    That said, in 2.4.4 we have Routed IPsec (VTI) which could do what you are after. It's still undergoing testing, but it allows for routing protocols and other similar techniques to work with IPsec. And since you have pfSense on each node it shouldn't be a problem there. Once every node is on 2.4.4, you can switch the tunnels over to VTI and then have BGP use the IPsec interfaces directly.

  • @jimp Thank you very much for the response! Looking forward to v2.4.4 being released :)

Log in to reply