Netgate SG-1000 microFirewall

Author Topic: pfsense IPSEC tunnel to redundant endpoints  (Read 112 times)

0 Members and 1 Guest are viewing this topic.

Offline effemac

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
pfsense IPSEC tunnel to redundant endpoints
« on: January 23, 2018, 08:42:19 am »
I have a pfsense 2.4.2 with single wan.
The remote IPSEC gw has two ipsec endpoints for failover (with 2 different ISPs).
So, the ipsec failover is not on pfsense side, but on the other side, in form of active / standby.

I defined two "parallel" ipsec tunnels , with same properties and Phase 2 entries. The only difference is the remote peer IP address of course.
Both tunnels are established , and the traffic work .
However. I see the P2 entry is built over the first tunnel which I defined, though it is defined as the backup tunnel on the remote gateway.
I have not found documentation about this topic, so my question is: is it a known behaviour of openswan ?
I would like to know whether traffic will work even in case of remote endpoint failure, and of course ask customer to disconnect one ISP for testing is not an option.

Thanks in advance

Offline christianBriere

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: pfsense IPSEC tunnel to redundant endpoints
« Reply #1 on: February 13, 2018, 10:59:31 am »

I was looking at the same thing. We have a Sonicwall NSA3600 which has 2 WAN IP, and a pfsense having 1 WAN. We want the PFsense to connect to the 2 remote Gateway, for failover.

I will create the second subnet and do the test. We have to plan a maintenance so I will disconnect WAN 1 and see if WAN 2 tunnel goes up.