Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    IPSEC - VTI mode Failover with PBR

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 227 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      eeebbune
      last edited by

      Hello Professionals,

      I’m currently working on a specific concept for an image, but I'm having a bit of trouble as the results are different from what I expected. I’d appreciate it if you could let me know if there’s something I’m missing, or if my goal is simply not feasible.

      Here is the drawing what I want to implement:
      fcf5dacd-d0b2-4b30-8ab4-de9819b9b47b-image.png

      The setup involves two sites, Site A and Site B. Site B has dual WAN interfaces connected to two different ISPs.

      My goal is to establish Route-based VPN tunnels (VTI mode) between Site A and Site B. Specifically, I want Site A to maintain an active tunnel with Site B's WAN 1 as the primary path. In the event of a tunnel failure, I need the traffic to automatically failover to the second tunnel (Site B's WAN 2).

      I configured two gateways as a gateway group.
      77c2fd37-3193-4062-a1f3-ea5ff94a255c-image.png

      and create an allow rule like this. (Site-B)
      00f24290-9d42-45d7-8f4e-6182376375f4-image.png

      The opposite site (Site-A) also has a same ACL rule.
      063a2f8f-bd95-4708-8903-67bb70fec27f-image.png

      I expected, if I shutdown the Tier1 tunnel, Site-B's AP will try to connect WLC over the Tier2 tunnel and site-A will also send response to Site-B over same tunnel.
      However, in reality, even though AP starts connection over Tier 2 tunnel, Site-A's firewall send response to WAN interface by default route.

      Which configuration makes Site-A's firewall to sends packet to default gateway rather sending Tier 2 tunnel?

      I could set the static route on Site-A firewall, but we can't choose gateway group. it only allows to set interface only.

      I appreciate your time.

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        The quick answer is you'll need to set the IPsec Filter Mode to VTI to allow those interfaces to use reply-to so the response traffic will use the correct interface. Set it on both sides.

        That will break any tunnel mode IPsec tunnels you may have, but if you don't have any, then it's only a positive change.

        The more complicated answer is that you should really run a dynamic routing protocol like BGP between those routers using the FRR package so the routing changes in a more reliable and predictable manner and isn't relying on filter trickery to avoid asymmetric routing.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.