Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Automatic IPSec backup when primary route doesn't work

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      markus.schaefer
      last edited by

      Hi all,

      I have the following setup with two pfSense boxes running in a CARP cluster.
      WAN is connected to ISP. The LAN subnet is connected via Router1 and Router2 to RemoteSubnet. The pfSense boxes use a static route over Router1 and Router2 for primary connection to RemoteSubnet.

      Internet –---------IPSec---------------[Checkpoint]–---RemoteSubnet
                     |
           _____________
          |                    |
       WAN               WAN
          |                    |
      [pfSense1]       [pfSense2]
          |                    |
        LAN                 LAN
          |                    |
          |_____________|
                     |
                 [Router1]
                     |
                 [Router2]
                     |
             RemoteSubnet

      Is there a way to configure the pfSense boxes to open an IPSec tunnel dynamically when Router2 is down?

      Any help would be appreciated..

      Cheers markus

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        No, there isn't. You would need to run some kind of dynamic routing protocol like OSPF on all of the routers on both ends, and that also wouldn't work over a normal IPsec tunnel (Though it should with OpenVPN, or IPsec in transport mode and some other type of tunnel interface like gif)

        Even then it would be a bit tricky to get going the way you want.

        There may be other ways to get it going, but none of them are pleasant.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          markus.schaefer
          last edited by

          Hi jimp,

          thanks for info, do you know if the specified IPSec tunnel can be started from the CLI through SSH?

          I was wondering if I could automate the IPSec startup by the monitoring server using event handlers.

          Markus

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            In the kind of setup I mentioned, the tunnel would be up all the time exchanging ospf info with the far side making routing decisions. It wouldn't be offline.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.