On Thu, May 23, 2013 at 11:17 AM, Peter Milazzo < peter.mila...@somersetcapital.com> wrote:
> My questions are, do I need to setup a second IPsec tunnel for the cable > connection (which I believe you can't do) if it fails over and what will > the routing look like? Is there a better way to set this up to accomplish > the redundancies? > As far as I know, there is no automatic way to have a "backup" IPsec connection. What I do is pre-configure both ends to use my secondary connection (in my case a microwave link), but leave that disabled. Upon failure, I connect to both pfSense routers via their public interfaces (I permit access to the admin from very specific IP addresses I own, such as the secondary connection's WAN address) and disable the primary tunnel, and enable the secondary tunnel. Sometimes I have to turn off IPsec entirely and restart it, but usually not. I really wish there was a way to automate this, but I think detecting where the fault is may be too difficult. Ie, is it the local WAN that is down and needs to switch to the secondary WAN? Is it the remote WAN down and needs to switch to that end's secondary WAN? Is it just IPsec failing to negotiate at all? What if one end thinks the connection is up, and the other does not? Now there is no agreement on where to connect the endpoints.
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list