IPSec With Multi WAN Failover Works Until Main WAN Restored
-
I have site A and site B. Site A has two WANs setup with failover group routing. WAN1 on tier 1, WAN 2 on tier 2 using dynamic DNS. Site B has one WAN and has IPSec configured to connect to site A's DDNS address.
This starts out fine and when site A's main WAN1 goes down, the tunnel switches over quickly to WAN2 without site B knowing anything different.
The problem is when site A's WAN1 is restored, pfSense does not rebuild the tunnel back to WAN1 and the tunnel is still connected through WAN2. IPSec traffic does not pass at this point even with WAN2 connection up. If I change site A's phase 1 "Gateway duplicates" to enable, traffic will pass. This option seems to be a problem because if the tunnel is still connected through WAN2 and WAN2 would go down, the tunnel appears still connected and does not re-establish the tunnel using the restored WAN1 connection. This may actually never happen, but it could...
I can manually disconnect tunnel with both WANs up and a re-connection will select WAN1.
Is there an option that would make site A's tunnel rebuild the connection back to WAN1 when WAN1 first gets restored?
I believe I understand what it is supposed to do - From Netgate docs:
------------
Failover with Gateway Groups and Dynamic DNSIPsec can fail between multiple WANs, but it requires some coordination and relies upon gateway groups and dynamic DNS. If the first gateway goes down the tunnel will move to the next available WAN in the group. When the first WAN comes back up, the tunnel will be rebuilt there again.
------------Thanks.