Routing with failover IPSEC VTI - IPVPN



  • 7b1bc6fb-8a01-4446-8928-fc48d5cb5d4a-image.png
    Hello,
    I'm not new to PfSense but am to this community. I have problem with configuring multiple GW failover with MPLS VPN and IPSEC VPN. So now I need to configure failover with 2 ISP-s. One ISP is providing ONLY IPVPN (directly routed) tunnel, from user to datacenter - not internet, just IPVPN. User has secondary ISP which also provides internet and if the IPVPN tunnel breaks I need to failover it automatically to IPSEC. Public addresses are fixed.
    Do I have to make 3 gateway groups (one for Load balancing, one for ISP1_fails-IPSEC_use and IPSEC_fails-ISP1_use)?
    10a5b6f9-d102-414c-82f6-8ccd59dc4893-image.png
    There is just one local (LAN) network in datacentre 172.25.0.0/24 (ISP1 has GW there for IPVPN) and on remote location there are multiple networks, four networks 192.168.50.0/24, 192.168.51.0/24 and I can't remember other 2 (which are not important).
    I've done IPSEC VTI mode and it pings interfaces normally. But not further.
    How would policy based routing look for this case (I have to use it since I cannot do static routing via Gateway group)?
    It looks something like this in test lab:
    39294bf4-177d-443b-9bd6-65f3a423284d-image.png

    I tried figuring out this situation in test lab before I'd work on the real deal but I can't get it to failover and it always uses same route (doesn't use policy based route since it doesn't trigger counters), not sure what I'm doing wrong.


Log in to reply