Automatic IPSec backup when primary route doesn't work

  • Hi all,

    I have the following setup with two pfSense boxes running in a CARP cluster.
    WAN is connected to ISP. The LAN subnet is connected via Router1 and Router2 to RemoteSubnet. The pfSense boxes use a static route over Router1 and Router2 for primary connection to RemoteSubnet.

    Internet –---------IPSec---------------[Checkpoint]–---RemoteSubnet
        |                    |
     WAN               WAN
        |                    |
    [pfSense1]       [pfSense2]
        |                    |
      LAN                 LAN
        |                    |

    Is there a way to configure the pfSense boxes to open an IPSec tunnel dynamically when Router2 is down?

    Any help would be appreciated..

    Cheers markus

  • Rebel Alliance Developer Netgate

    No, there isn't. You would need to run some kind of dynamic routing protocol like OSPF on all of the routers on both ends, and that also wouldn't work over a normal IPsec tunnel (Though it should with OpenVPN, or IPsec in transport mode and some other type of tunnel interface like gif)

    Even then it would be a bit tricky to get going the way you want.

    There may be other ways to get it going, but none of them are pleasant.

  • Hi jimp,

    thanks for info, do you know if the specified IPSec tunnel can be started from the CLI through SSH?

    I was wondering if I could automate the IPSec startup by the monitoring server using event handlers.


  • Rebel Alliance Developer Netgate

    In the kind of setup I mentioned, the tunnel would be up all the time exchanging ospf info with the far side making routing decisions. It wouldn't be offline.

Log in to reply