GRE tunnels over IPSEC, changing routing for failover?

bobkoure · Nov 29, 2018, 4:31 PM

Two sites, two ISPs per site. Four IPSEC tunnels between the two (using out-of-LAN-range IPs for endpoints). Four GRE tunnels (one over each IPSEC tunnel). All up at the same time, but if any ISP went down, traffic was routed to the two tunnels using the other ISP.
I had this working on a pair of Snapgear firewalls between sites (used some magic code I got from the SG forum). It was quite reliable but once there'd been a failover, when the failed ISP came back up I had to switch things back manually (which was fine - I mostly need things to stay up overnight)

Now we've got pfSense boxes on both ends. Is this the way to manage GRE tunnels over ISPs that sometimes go down - or is there a better way? For instance, is there any way I might use Gateway Groups to do this? Something else pfSense can do? I'm still learning this firewall...

jimp · Nov 29, 2018, 8:18 PM

GRE over IPsec can work but it has some major issues with pf not seeing all the traffic in every direction.

Routed IPsec (VTI) is the best way to do this on 2.4.4 and later. It lets you use a routing protocol without having to involve transport mode or other encapsulation like GRE.

bobkoure · Dec 4, 2018, 7:13 PM

pfSense has VTI mode IPSEC - how cool is that?
I'm off to play with some test boxes... :-)
For anyone else reading this thread, I found docs here