Automatic IPSec backup when primary route doesn't work

markus.schaefer

Hi all,

I have the following setup with two pfSense boxes running in a CARP cluster.
WAN is connected to ISP. The LAN subnet is connected via Router1 and Router2 to RemoteSubnet. The pfSense boxes use a static route over Router1 and Router2 for primary connection to RemoteSubnet.

Internet –---------IPSec---------------[Checkpoint]–---RemoteSubnet
               |
     _____________
    |                    |
 WAN               WAN
    |                    |
[pfSense1]       [pfSense2]
    |                    |
  LAN                 LAN
    |                    |
    |_____________|
               |
           [Router1]
               |
           [Router2]
               |
       RemoteSubnet

Is there a way to configure the pfSense boxes to open an IPSec tunnel dynamically when Router2 is down?

Any help would be appreciated..

Cheers markus

jimp

No, there isn't. You would need to run some kind of dynamic routing protocol like OSPF on all of the routers on both ends, and that also wouldn't work over a normal IPsec tunnel (Though it should with OpenVPN, or IPsec in transport mode and some other type of tunnel interface like gif)

Even then it would be a bit tricky to get going the way you want.

There may be other ways to get it going, but none of them are pleasant.

markus.schaefer

Hi jimp,

thanks for info, do you know if the specified IPSec tunnel can be started from the CLI through SSH?

I was wondering if I could automate the IPSec startup by the monitoring server using event handlers.

Markus

jimp

In the kind of setup I mentioned, the tunnel would be up all the time exchanging ospf info with the far side making routing decisions. It wouldn't be offline.