Unable to select gateway group in static route
-
Hi,
I have a pfSense with a single WAN and two IPSEC connected to a remote host. The remote host has two different WANs so we have two IPSEC up.
I need to create a static route to the remote subnet that will use both the IPSEC and manage failover. So I created a gateway group with the the IPSEC (most fast as tier 1, the backup as tier 2) and now I need to create a static route that sends traffic to the remote gateway group. But in static route I can select single gateways (the two I defined as remote gateway via the two IPSEC tunnel), but I can't select the gateway group.So how wan I manage routing to the remote endpoint in this scenario? What's wrong in my configuration?
thanksp.s my IPSEC are routed...
-
Gateway groups cannot be used in static routes. You have to direct the traffic by policy routing rules.
-
You will need to use a dynamic routing protocol for that, like BGP or OSPF, on both IPsec tunnels on both endpoints.
Otherwise you can't be sure the other side will route back the same way.
-
@jimp I'm sure the other way route same way, because I've two tunnels and I if a tunnel is down the other side will route on the remaining one only, of course. It's a Fortigate, I'm sure about what is doing. Is OSPF mandatory to perform this with pfSense, or was a suggestion related to this possible problem?
I'm not using OSPF because I do not want to propagate to the pfSense node the entire routing area that the Fortigate know. I only need that the pfSense know the local subnet of the FG and vice-versa. Is there any way to perform this?
-
You will need a routing protocol of some kind, there isn't likely to be any other way connecting to a third party could manage two separate tunnels which are up all the time.
The failover is much slower but you could maybe get away with only having one tunnel set to use a hostname for the remote gateway, and Dynamic DNS on the Fortigate side set to switch the hostname depending on which WAN is preferred at the time. That's assuming Fortigate supports that kind of function for Dynamic DNS.
-
Hi, sorry for reactivating an old topic.
I would like to know if the status is still the same on this issue. It seems absurd to me that we would need to make things so much more complex to simply tell the firewall "if the gateway from the first VTI IPSec is down, use the second VTI IPSec". I am not sure if the implementation is too much of a hassle, but this feature would be greatly appreciated.