How to configure IPSEC VPN to the same remote network, but with 3 remote gateways with priority

mdbinfodati

Hi, I must configure a pfSense v2.7 in this way:

allow IPSec VPN access to the same remote network 192.168.0.x from the local network 10.0.0.x but using 3 different remote gateways:

• the first one should be the default one
• the second one should be used only if the first remote gateway is not reachable
• the third one should be used only if the others are not reachable

Is it possible?
If I configure 3 distinct P1+P2 IPSEC VPNs, how can I set their priority/behavior?
I made a few searches online but didn't find a clear solution/answer.

Thank you in advance.

planedrop

@mdbinfodati What you are looking for is most likely going to be here in the docs: https://docs.netgate.com/pfsense/en/latest/multiwan/ipsec.html

In short you'll need to use an A record via DNS on the other side for failover so that it gets rebuilt, pfSense itself can use a gatway group for failover though, so you'd use a standard group with 3 tiers and 1 gateway per tier. Then you setup dynamic DNS for this gateway group so that DNS gets updated on failover and once the other side tries to reconnect it'll use the new IP.

This isn't super fast though to be clear, it can take several minutes for it to reconnect. In my experience though it's almost instant when doing this, I have several pfSense boxes that I have IPsec tunnels setup with, which are on DHCP for the WAN, whenever the WAN changes, dynamic DNS updates and the tunnel comes back up very fast.

mdbinfodati

@planedrop Thank you for the reply.

I'm still a bit confused because I'm in a situation in which, on "my side" I have 3 remote gateways (and the same remote network behind them); but on the pfsense I have only one WAN.

I don't have control on the remote gateways, so I don't know if the dynamic DNS solution is viable.

planedrop

@mdbinfodati Oh I see, I think I misunderstood at first, so you have a site with 1 gateway and pfSense with a local LAN network that needs to reach a site behind another firewall/router that has 3 remote gateways, setup with like failover?

Either way I think dynamic DNS will be involved here, you'd have to have the remote gateways update their dynamic DNS entry when a WAN fails over.

Or maybe I am still not understanding something, a network diagram might be useful here actually.

hzrnbgy

You might be able to make it work using Routed VTI interfaces. So you would need 3 distinct IPSec connection, one for each gateway. Each connection would be in Routed VTI mode under Phase2. You then define a /30 address space for each tunnel pair. You can then run OSPF on these "VTI" and assign different priorities. So when all is said and done, from your side, you would have 3 next hops to the remote network. If the IPSec tunnel is down to a gateway, obviously it won't show up in your routing table since the routing protocol would detect that. The routing protocol priority would determine which gateway you would use first if all 3 tunnels are up at the same time.