Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: bx2 on February 06, 2026, 09:17:21 PM

Title: Active/backup site to site IPSEC VPN
Post by: bx2 on February 06, 2026, 09:17:21 PM
Hello everyone,

I have two Deciso DEC2752 units in a HA configuration that I am soon about to deploy.

At this moment I am nearly ready except I need to figure out how to configure my OPNsense deployment so that if my primary IPSEC VPN connection goes down, the secondary IPSEC VPN connection will establish.

The remote end are two Versa-SDWAN appliances. Versa #1 has one ISP connection and Versa #2 has the other IPS connection. Both ISP connections are for separate ISPs for redundancy.

Right now, my OPNsense cluster is configured for IPSEC VPN to Versa #1 Public IP. I can power off one of my OPNsense units and the other kicks in as expected.

But for whatever reason I cannot seem to figure out how to apply some kind of metric/weight to keep the primary IPSEC tunnel active and failover to the other IPSEC tunnel if my primary versa is down.

Would anybody be able to point me into the direction on what to read or how to accomplish this?


Thank you!
Title: Re: Active/backup site to site IPSEC VPN
Post by: Patrick M. Hausen on February 06, 2026, 09:22:44 PM
You configure a CARP address on the Internet facing (WAN) interface and use that as the endpoint for your IPsec tunnel(s). Connectivity will move with the CARP address in case the primary node fails.

Did you setup your HA cluster following the documentation? So you have a HA/CARP address on all interfaces?
Title: Re: Active/backup site to site IPSEC VPN
Post by: bx2 on February 07, 2026, 07:45:26 AM
Quote from: Patrick M. Hausen on February 06, 2026, 09:22:44 PMYou configure a CARP address on the Internet facing (WAN) interface and use that as the endpoint for your IPsec tunnel(s). Connectivity will move with the CARP address in case the primary node fails.

Did you setup your HA cluster following the documentation? So you have a HA/CARP address on all interfaces?

Yes I've got my HA cluster configured as per the documentation. My concern is not the OPNsense node failing but the other end. Be it a hardware failure or ISP being down, I am trying to get my OPNsense cluster to have a secondary IPSEC connection going to the opposite site, to their secondary connection.

Title: Re: Active/backup site to site IPSEC VPN
Post by: Monviech (Cedrik) on February 07, 2026, 09:30:35 AM
You could create the same two tunnels on both HA nodes and use dynamic routing to decide which one gets your traffic.

https://docs.opnsense.org/manual/how-tos/dynamic_routing_ospf.html#ipsec-failover-with-vti-and-ospf
Text only | Text with Images