Automatic IPSec backup when primary route doesn't work
-
Hi all,
I have the following setup with two pfSense boxes running in a CARP cluster.
WAN is connected to ISP. The LAN subnet is connected via Router1 and Router2 to RemoteSubnet. The pfSense boxes use a static route over Router1 and Router2 for primary connection to RemoteSubnet.Internet –---------IPSec---------------[Checkpoint]–---RemoteSubnet
|
_____________
| |
WAN WAN
| |
[pfSense1] [pfSense2]
| |
LAN LAN
| |
|_____________|
|
[Router1]
|
[Router2]
|
RemoteSubnetIs there a way to configure the pfSense boxes to open an IPSec tunnel dynamically when Router2 is down?
Any help would be appreciated..
Cheers markus
-
No, there isn't. You would need to run some kind of dynamic routing protocol like OSPF on all of the routers on both ends, and that also wouldn't work over a normal IPsec tunnel (Though it should with OpenVPN, or IPsec in transport mode and some other type of tunnel interface like gif)
Even then it would be a bit tricky to get going the way you want.
There may be other ways to get it going, but none of them are pleasant.
-
Hi jimp,
thanks for info, do you know if the specified IPSec tunnel can be started from the CLI through SSH?
I was wondering if I could automate the IPSec startup by the monitoring server using event handlers.
Markus
-
In the kind of setup I mentioned, the tunnel would be up all the time exchanging ospf info with the far side making routing decisions. It wouldn't be offline.
