IPSEC Backup Tunnel



  • I'm trying to replace a bunch of Sonicwalls with pfsense boxes.  Sonicwall has this feature where you can put in a backup IP for each peer.  Is there any solution in pfsense that would allow you to do a backup tunnel?

    We have a pfsense cluster in our primary datacenter.  We have our own IP space here which is advertised via BGP to multiple ISPs so this essentially never goes down.  Then we have a bunch of remote offices that use a redundant ISPs and a pair of sonicwalls at each one.

    I have to setup VPN to all the sonicwalls.  I have this all up and working, but I need a way to do tunnels to each Sonicwall's backup ISP in the event the primary fails.  I was thinking I'd just copy the tunnel on the pfsense cluster, change the IP to the backup ISP IP, and set it to listen only.  Will this work on pfsense??

    To make it slightly harder, what if I have a pair of pfsense boxes on both sides.  Only one side would have two ISP links.  Is there any way to do IPSEC redundancy in this scenario?



  • I haven't done this since pfsense 1.2.3 but you should be able to run two pfsense in a carp setup, and if you point your IPsec tunnel to the shared carp WAN ip it should work. I don't see any reason you wouldn't be able to do this on both sides.