IPsec failover - without dyndns

  • So I came across this post https://forum.netgate.com/topic/52963/ipsec-multi-wan-failover

    and it seems the only way to do multi-wan fail over is using dynamic dns. I was hoping there was a different way to accomplish this.

    My current thought is to have my peer configure two tunnels on their end. One to each end point.
    Then configure two tunnels on my side, leaving the back up disabled.

    Then on the event of a primary wan failure. Disable the primary tunnel and enable the secondary tunnel.

    I have done this in the past with an old Juniper SSG5 but I never attempted to automate the process.

    Has anyone attempted this on pfSense?

    thank you!

  • I would think that would work, though I have not tried automating anything like that. I have successfully used dynamic DNS though.

    I've currently started learning about IPSEC VTI so I can have routed IPSEC. From the sounds of the documentation, though, you could also have policy based routing:
    "Policy Routes
    To policy route traffic across a routed IPsec tunnel, use the assigned IPsec interface gateway in firewall rules as usual for policy routing.
    See also
    Directing Traffic with Policy Routing"

    See here: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html
    (Note: I haven't tried that and can't speak to how well it may or may not work)

  • It is a pretty old post but would like to add what I did recently (not perfect but working to some level) feedback would be nice to make it perfect.
    What I did is mentioned below.

    ON LOCAL SIDE: Create a gateway group on the Pfsense i.e GW1_GW2 change priority to Tier 1 & Tier 2 respectively.
    Assume Tier 1 GW IP is
    Assume Tier 2 GW IP is
    Local Subnet:

    Create Phase1 & Assign GW1_GW2 Gateway as Interface to IPSec
    GW1_10.10.10.10 (Primary-Alive)
    GW2_20.20.20.20 (Secondary-idle)
    Add Phase 2 Local Subnet --> <--- Remote Subnet :

    ON Remote Side: Configure Two tunnels
    Phase1 for --> Phase2 Local Subnet: <-- Remote Subnet (Primary-Alive)
    Phase1 for --> Phase2 Local Subnet: <-- Remote Subnet (Secondary-idle)

    Now the tunnel will establish using Tier1 IP as Peer IP, if the Tier1 Connection is down, it'll establish using Tier2 IP.
    I have tested this scenario, it works fine, it Failover to Tier 2 IP but when the Tier2 IP is also down OR the Tier1 IP is back online then it won't switch back to Tier1 IP. to force change I have to restart IPSec Service.

    is there any way to Force IPSec Service reload upon disconnection?

Log in to reply