Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Dual WAN and IPSec: Simply switch interface on alarm

    Routing and Multi WAN
    2
    3
    1256
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thoiz_vd last edited by

      I found many topic replies clearly stating that WAN-failover and IPSec cannot be combined due technical reasons. Yet, I do not see why pfSense is not able to do something I now do by hand. When WAN1 fails, I switch my VPN endpoint from WAN1 to WAN2. When I see that WAN1 is working again, I switch it back. If I can do this, why not pfSense?

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        It's not quite that simple unfortunately. Many people in the field don't have the ability to just change the endpoint IP without adjusting the other side of the tunnel.

        It might be possible to do this, but it's not as easy as it seems, and would definitely have to be optional. Might be an interesting project for someone looking to get into development to try.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          thoiz_vd last edited by

          I do have this option because the endpoint is a ZyWALL USG, which has support for dynamic clients. The solution could however be reformulated to having two tunnels with different priorities. In case the tunnel with the higher priority goes down, the one with the lower priority is activated. In my case their endpoints would be the same, but for others this does not have to be so. Subnet overlaps do not matter anymore when the tunnels are never both active at the same time.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post