IPSec VPN Failover to another router (on LAN)

  • I have a VPN tunnel (pfSense 2.0 to another 2.0) that routes all traffic through the tunnel. However when the tunnel goes down I need the traffic to automatically route to another gateway on the LAN. This gateway is already defined in the pfSense box(as the default gateway) and it WILL route traffic there only IF you disable the tunnel, not when the tunnel is down.

    Site A
    pfSense–---LAN--->Switch---->Cisco Private T1     
    IPSec                                              |       
    WAN                                              |
        |                                                |
        |                                                |
        |                                                |
        |                                                |
    WAN                                                |
    IPSec                                              |
    pfSense-----LAN--->Switch---->Cisco Private T1
                      Site B

    Is there a way to have it automatically failover to the old slow circuit?

  • search forum with failover wan.. and you should your answer. just improvice if it doesn't have the spot on answer

  • I searched for failover WAN and read the book. There is nothing I could find like this. Everything I found expects two WAN ports.

  • Rebel Alliance Developer Netgate

    That isn't possible with IPsec in that way. You would need to either use OpenVPN or IPsec in transport mode + a GIF tunnel, and run a dynamic routing protocol on top like OSPF

    IPsec in tunnel mode will grab the traffic and isn't capable of doing failover like that.

    Even if you managed to get the client side to send traffic the other way, unless you do NAT on the way out, the return traffic from the other side would only take the way back that followed its routing table in most cases.

    Something like OSPF would let it automatically select whichever route was up/preferred.

  • Ok, I thought that IPSec might be a roadblock, so we've been trying to setup OpenVPN to do it.

    Are you saying that OpenVPN alone? In other words without the use of OSPF?


  • Take a look at this topic, it's used to enable IPSec when wan fails, but you can change it to work the way you need.

Log in to reply