IPsec site to site to site full mesh path preference



  • I have 3 sites with pfSense running as the main router at each site.  Currently we have sites B and C connecting through site A via IPsec to get to each other.  Now that I'm implementing VOIP I want to reduce the latency between sites.

    I plan to setup a IPsec connection between sites B and C directly.  Is there a way I can set a preference for the traffic so that it prefers going direct but if for some reason the VPN is down directly that it will try to go via site A?

    This is all sort of a moot point because if a VPN connection is down, there is more than likely a bigger issue but I'm thinking about this now more for academic reasons that practicality.

    I can't think of how I would do this on a Cisco ASA either.. other than keeping the preferred path as a lower number in the crypto map ordering.

    Thanks!  First post, this forum has been tons of help in the past.  Looking forward to being a member of the community.



  • The first matching P2 would be the only one that would apply. You're right in that scenario is almost certainly something you'll never need to use, as if you can't get from B to A, then either C won't be able to get to A either, or B won't be able to get to C, so probably a moot point.

    What you can do is configure a disabled P2 to do that routing from B to A via C, then if you happen to get into a situation where you can't get from B to A but can get from B to C to A, then disable the B to A matching P2 and enable the B to C and C to A ones. Manually disabling and enabling would be necessary in that case.


Log in to reply