Failover IPSec configuration

  • Hi together,

    this is my first initial post in this community. I downloaded pfsense a few days ago to replace a commercial firewall product,
    whis is in use in my own home environment. First, I'd like to make you familiar with my network configuration:

    Main Site:

    Telco -> Fritzbox (famous router product in germany) -> pfsense gateway -> my computer

    My static public ip address terminates at the fitzbox gateway, which then routes all traffic to the pfsense gateway.
    The pfsense gateway has private ip address on the local area network as well as on the wide area network.
    Of course, these addresses on the WAN are just used for routing, this is a typical transport network

    Remote Site:

    I'm running a remote site, where network connectivity is really unstable. In fact I'm operating a HamRadio repeater
    which has a VPN connection to my "Main Site". Due to the unstable internet connectivity, I'm running 2 ISP's there.

    One ISP connection is established via a WLAN radio link, the other one is established via an LTE line.
    The WLAN radio link has no limitations regarding the maximum transfer rate by month - the LTE line has such
    a limitation which is 2Gb per Month. If these 2Gb are consumed, the available bandwidth will be reduced to 64kb/s
    automatically, which is not that much. That's why, my interest is to use the WLAN radio link primarly for
    my VPN connection and the LTE link as a backup connection only.

    Here is a logical topology of this configuration:

    Telco 1 -> just another Fritzbox -> RADIO LINK -> pfsense -> "my vm"
    Telco 2 -> TP-Link Router -> pfsense -> "my vm"

    In this environment the so called "Fritzbox" gets a dynamic (public) ip address by ISP Telco 1, the TP Link router
    gets a dynamic (private) ip address by ISP Telco 2. The internal routing is done by static routing using private ip addresses.

    Now, I wanted to configure failover on pfsense at the remote location.

    For this propose I added 2 gateways and configured the gateway to Telco1 as the default gateway.
    The second gateway to Telco 2 has been added just as a normal gateway.

    In a next step I configured a gateway group, both gateways are configured with different TIER's.
    So in this configuration Gateway 1 is configured as TIER1 and Gateway 2 as TIER2.
    The failover configuration is "Member Down".

    I already configured an up and running ipsec vpn connection between my main and remote site.
    To enable the failover scenario, I changed the "Phase1 - Tunnel interface" to the previously configured Gateway group.

    Everything seems to work fine, until one line on the remote site goes down.
    If this is happening (for example unstable WLAN connection) the vpn connection will not be established automatically via the
    aforementioned backup link. In fact nothing is happening until the unstable WLAN connection is restored.

    Has anyone an idea, what I did wrong in my configuration?

    Thanks a lot for your help!

    BR, Nils

  • I have a new status here:

    For some reason, the ipsec connection is now established via the backup link.
    In general, that is exactly what I want - but it seems that there is no return to the primary gateway.
    Both gateways are online now, but ipsec connection still established via the backup link.

    It would be really helpful if someone could explain the behaviour of pfsense in details,
    I guess I have not enough informations to understand that behaviour correctly.

    BR, Nils