IPSEC failover ?



  • Core 1 : XYZ
    Core 2 : ABC

    Both core locations have the same subnet ranges. Linked together by a MPLS connection.

    Would there be a solution to allow remote branches to connect to Core1, and if that would be down to Core2?
    I could create both IPSEC tunnels at the same time, but since all phase 2's would be identical… Would the second VPN just not connect?

    Routing options it not possible with IPSEC, OpenVPN is not an option (external parties).

    Any ideas?


  • Rebel Alliance Developer Netgate

    That's not currently possible at the moment with multiple tunnels, however you can still pull it off with a single tunnel.

    For the "Core" side use a hostname in DNS that will resolve to whichever one is up (like DynDNS) – and then use that hostname as your Phase 1 IPsec peer in pfSense.

    If the other settings (key, P2 nets, etc) are all the same then pfSense won't care which one it connects to, it will follow the hostname.