• Hi there.

    we are using IPSEC , which is mostly the main type of vpn for cross site talk talk…

    unfortunately the performance of the ipsec is very bad. i am looking for a way in which we create a openvpn backup for the ipsec.

    Say ipsec drops.. site B calls Site A and then continues working as normal until either site restarts etc.

    something like a failover wan, but for IPSEC.


  • Looked briefly on rules (including the floating ones), but didn't find anything useful there to accomplish what you seek.

    You can get a path selection (take route ipsec or route openvpn) by getting your route-table updated dynamically. (done by a routing protocol, ospf by example)

    No idea if there are other possibilities with pfSense… (This is an interesting one. I'll keep an eye on this thread ;))

  • Rebel Alliance Developer Netgate

    There wouldn't be any way to make that work with IPsec in tunnel mode, because unless you disable the tunnel and make sure the SPDs are gone, then IPsec will still grab the traffic even when the tunnel is down.

    Now if you had IPsec in transport mode + GIF/GRE, and OpenVPN, doing some sort of failover might be possible, similar to multi-wan or using OSPF.

  • Thanks Benny and Jimp,

    i am gonna see if Jimp's idea is workable.. i am looking for a quick solution for the issue. changing settings in 4 diff pfboxes will be a titanic task.