Dual WAN and IPSec: Simply switch interface on alarm
I found many topic replies clearly stating that WAN-failover and IPSec cannot be combined due technical reasons. Yet, I do not see why pfSense is not able to do something I now do by hand. When WAN1 fails, I switch my VPN endpoint from WAN1 to WAN2. When I see that WAN1 is working again, I switch it back. If I can do this, why not pfSense?
It's not quite that simple unfortunately. Many people in the field don't have the ability to just change the endpoint IP without adjusting the other side of the tunnel.
It might be possible to do this, but it's not as easy as it seems, and would definitely have to be optional. Might be an interesting project for someone looking to get into development to try.
I do have this option because the endpoint is a ZyWALL USG, which has support for dynamic clients. The solution could however be reformulated to having two tunnels with different priorities. In case the tunnel with the higher priority goes down, the one with the lower priority is activated. In my case their endpoints would be the same, but for others this does not have to be so. Subnet overlaps do not matter anymore when the tunnels are never both active at the same time.