Ipsec on multipe WAN connections?

  • First of all, many thanks to all those working on or tweaking pfsense.  I've been working with several boxes for about six months now and finally have deployed them.  The fact that we've incorporated Snort, AV, proxy, content filtering, reporting etc. into an 18watt little black box is pretty amazing.

    I've run into an issue with setting up IPSEC on more than one WAN interface on this AMD64 2.0 release version.

    Using this guide: http://dekapitein.vorkbaard.nl/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors
    I was able to get IPSEC VPN working with SHREW on 1 of the 2 WAN connections.  Once enabling "Mobile Clients" the wizard prompts me to add a Phase 1 entry.  In this tunnel, I can only choose one WAN interface.

    My question is how do I set this up for the 2nd WAN connection? When I try to add another tunnel under IPSEC (to assign to WAN2, an extra field shows up, "Remote Gateway" which was not there in the first tunnel GUI.

    Is is possible to have IPSEC working on both WAN1 and WAN2?  Pic 1 is the working config.  Pic 2 is what I get when trying to add a tunnel for WAN2


  • All I could find on this problem is stuff like this (old): http://forum.pfsense.org/index.php?topic=11791.0;wap2

    That post would suggest that setting up a WAN2 connection is possible, so my guess here is that I'm missing something that is not documented.


  • I believe pfSense will only use one WAN interface for mobile connections.  Once you add the second phase1 policy, it is configuring it for a site to site IPsec tunnel.

    Btw, I like the pfSense documentation for creating mobile connections with 2.0: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

  • So this would suggest that version 2.0 does not support IPSEC on multi-wan where the older version did?  It looked like the previous poster added WAN2 tunnels and then a static route.  In version 2, it does not look like this is possible.

    So the next question is regarding OpenVPN on multi-wan..possible?

  • @dwood:

    So this would suggest that version 2.0 does not support IPSEC on multi-wan where the older version did?

    Not necessarily.  I replied based on the screenshots you posted.  It won't work that way.

    I believe you can still accomplish this by setting up gateways, a gateway group, a floating rule, and outbound NAT rules to point the outbound traffic to the gateway group you create.  That way, you are forcing the VPN traffic to use the gateway group.

    Configure your gateways in Routing - Gateways.

    Configure the gateway group in Routing - Groups.  You should use the second WAN connection as Tier2 so that it will only use it when the action is triggered.

    Configure a floating rule for both WAN interfaces in Rules - Floating.  Direction is out and gateway would be the group you just created.

    Last, setup an outbound NAT rule in NAT - Outbound.  You will want to do manual outbound NAT with two rules, one for each WAN interface.  (Ex: WAN1 any * * * * * no)

  • Thanks so much for your help :-)

    I'll give this a go and see what we come up with.

Log in to reply