Possible to connect to a Primary tunnel and Backup tunnel?



  • I am replacing an old firewall at an office of about 60 users. The company connects to some secure website for it's point-of-sale software. When they emailed me the IPsec config it contained a primary and a backup tunnel.

    The primary is a connection to Las Vegas and the backup is a connection to New Jersey. The remote endpoint IP is different obviously but the remote LAN networks are exactly the same in both primary and backup.

    Is it possible to use both of these tunnels or do I just have to chose primary and go with that?


  • Rebel Alliance Developer Netgate

    We don't have a good way to support that yet in that sort of setup on the client side of things.

    In 2.1 we do have some IPsec failover going now, but it's on the end that has two WANs where it needs to move the tunnel from one WAN to another, not between multiple peers.

    Though in your case you might be able to fake it out with DNS, it wouldn't be automatic. You can set the endpoint address to a hostname, and then if the hostname resolves to the other peer, it would switch when it detected the DNS change. If you're manually making the change though you may as well just change the peer IP.



  • The underlying software ipsec-tools supports failover (see https://trac.ipsec-tools.net/wiki/FailOver) but the functionality isn't implemented under pfsense yet, afaik.

    There is a related feature-request here http://redmine.pfsense.org/issues/1965


  • Rebel Alliance Developer Netgate

    If you read the notes on the ticket you'll see that the method used on that page isn't really viable the way we do things. But we're still searching for a good way to make that happen on to fail between two remote peers without involving DNS.


Locked