3 sites - routed ipsec - automatic redundant failover routing

  • I am running pfsense routers in 3 locations, all with routed ipsec:

    Texas (
    China (
    Michigan (

    Currently each site has a routed ipsec tunnel to the other two.
    Unfortunately, the great firewall of china frequently breaks the tunnel between China and Michigan, the two are rarely ever able to ping each other.
    The tunnel between China and Texas is much more reliable.

    I would still like the local sites in China and Michigan to communicate with each other..... through Texas if necessary.

    How would I setup pfsense such that when the China-Michigan tunnel drops, but the China-Texas and Texas-Michigan tunnels remain, that traffic can flow China-Texas-Michigan through ipsec?

  • I think the way to go is :

    • Created routed IPSec with VTI
    • Implemented some kind of dynamic routing, with BGP or OSPF, assigning different metrics to your path.

    Videos on theses subjects
