Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible to connect to a Primary tunnel and Backup tunnel?

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      root2020
      last edited by

      I am replacing an old firewall at an office of about 60 users. The company connects to some secure website for it's point-of-sale software. When they emailed me the IPsec config it contained a primary and a backup tunnel.

      The primary is a connection to Las Vegas and the backup is a connection to New Jersey. The remote endpoint IP is different obviously but the remote LAN networks are exactly the same in both primary and backup.

      Is it possible to use both of these tunnels or do I just have to chose primary and go with that?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        We don't have a good way to support that yet in that sort of setup on the client side of things.

        In 2.1 we do have some IPsec failover going now, but it's on the end that has two WANs where it needs to move the tunnel from one WAN to another, not between multiple peers.

        Though in your case you might be able to fake it out with DNS, it wouldn't be automatic. You can set the endpoint address to a hostname, and then if the hostname resolves to the other peer, it would switch when it detected the DNS change. If you're manually making the change though you may as well just change the peer IP.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • D
          dhatz
          last edited by

          The underlying software ipsec-tools supports failover (see https://trac.ipsec-tools.net/wiki/FailOver) but the functionality isn't implemented under pfsense yet, afaik.

          There is a related feature-request here http://redmine.pfsense.org/issues/1965

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            If you read the notes on the ticket you'll see that the method used on that page isn't really viable the way we do things. But we're still searching for a good way to make that happen on to fail between two remote peers without involving DNS.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.