Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Failover - Primary and Secondary Tunnels?

    Scheduled Pinned Locked Moved
    IPsec
    1
    1
    83
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      baketopher
      last edited by baketopher

      I have two IPsec tunnels which pass all traffic for the LAN. One is meant to act as "primary" tunnel where all traffic should be sent by default and the secondary is meant to act as a failover should the primary tunnel go down. Both tunnels are connected at all times. On the other side of the IPsec connection, there are only return routes populated for the primary tunnel unless the IPsec connection is dropped entirely on pfSense. This means if both tunnels are up and traffic is passed by pfSense to the secondary tunnel, the other side will not route traffic for the LAN. I don't have any control of the other side of the tunnel pfSense is connecting to.

      What I'm seeing is that pfSense will route traffic to the secondary tunnel if it is the most recently established tunnel. For example, checking "Status -> IPsec -> Overview" where established seconds for the secondary is lower than the primary. This causes traffic to get dropped when it hits the secondary tunnel because the routes aren't established on the other side of the tunnel as the primary tunnel is still up.

      Is there anyway to get this described primary/secondary tunnel failover to work reliably on pfSense?

      Thanks!

      tunnels_p1_p2.png

      1 Reply Last reply Reply Quote 0
      • First post
        Last post