Need help with setting up a vpn for failover/redundancy



  • Good evening,

    I have 3 (main, and 2 branch ) offices total that are connected using metro-e.  Each location has public internet to be used as a backup connection.  Only the main branch has pfsense.  The other 2 have junipers.

    I can get a tunnel up without any problem.  The issue I have is how do I set up the failover?  I know how to do this with route based tunnels, but pfsense doesn't support route based vpn tunnels.  Is there a guide or a how to when using rule based vpns?

    Thanks,



  • IPsec failover needs dynamic DNS, so you set the local interface as a gateway group, and on the remote host you set the destination to the dynamic DNS host you have tied to the gateway group. Of course, you need to be able to specify a resolvable host instead of an IP on the other side, and also make sure that you don't have issues with cached DNS responses and stuff alike (no idea how Juniper handles this).

    For example, I have implemented failover IPsec between pfSense and MikroTik routers by setting a script on the MikroTiks that resolves the dynamic DNS entry every minute and updates its IPsec config whenever necessary (pretty much what pfSense does behind the scenes).

    Regards!