Ipsec VPN using one ISP and backup with other ISP

  • Hi,

    Hi have a customer that have a Ipsec VPn with a provider and now like to user other IPS to setup a backup for this VPN.

    The idea is use two ISP with diferente provider one is the principal and the other with backup.

    We need that in case the principal channel down use the backup and up the IPSec VPN for this channel.

    Is it possible ?

  • You can achieve this with either a dual-circuit connection (usually fairly expensive) or by updating DNS records.

    I don't think PFSense has the built-in functionality to update the DNS records if one WAN is down (please feel free to correct me), so you could use a provider like DNSMadeEasy and their DNS Failover.

    I think you would need to create a gateway group and use it for the IPsec interface.


    Apparently the DynDNS can use a gateway group too so no need for the likes of DNSMadeEasy.


    It should work fine though for pfSense to pfSense you need both the IPsec tunnel set to a failover gateway group and a DynDNS entry set to the same failover gateway group, and then use that dyndns host as the remote peer address for the other side.

    Then when WAN1 fails to WAN2, the dyndns IP changes, so the far side knows to accept the new peer, and that's where IPsec will start connecting from.

Log in to reply