is it possible to implement redundant IPSec tunnels over 2 different WAN connections?



  • I would put 2 WANs on PFSense, this would connect to an Azure VPNGW that is redundant (it has 2 different IPs).

    I guess I would create tunnels, such that the "primary" WAN connection has more specific network routes than the "secondary"?



  • Hi,

    If you wait for 2.4.4 you get routed vpn. With this and the far package you could do this.

    Also you can setup now gre tunnel with ipsec in transport mode. Then use for with ospf on both sides. Then you can but a cost for each tunnel and ospf will use the other tunnel ist the primary goes down.

    Hope that helped you.

    Hint last monthly hangout did a talk about the routed vpn and frr and ospf.



  • Hi

    I've done such a setup with two PFSenses. each has a seperate WAN Provider.
    The other site is a single HA Vmware NSX Edge Firewall.

    I made a scripts which checks the WAN Connection. If the internet fails, the script will switches to the backup PFSense and start there the VPN Tunnel.

    There is nothing much you can do else.
    I'm also waiting for VTI Tunnel Support on 2.4.4