Messages

We don't have access to the remote site, it is a healthcare provider who laid out the specifics of how we are to connect to their datacenter.

The tunnel is configured using a FQDN as the remote identifier on their end, and they have whitelisted the two static IP addresses from the two ISP providers we are using for WAN1 and WAN2. The tunnel can be established from either interface and works fine when manually set.

The problem is it cannot follow the change of default gateway because you must select one of the WAN interfaces in the phase 1 configuration. On pFSense, there is the option to choose the gateway group as the outgoing interface and it works as expected. OPNSense does not have that same option.

I must assume nobody has ever done this and got it working?

I just need an IPSec tunnel to tear down and re-establish itself when the default gateway changes as a result of WAN failover. The current setup doesn't seem to allow that, unless I am missing something obvious here?

Hello all,

Here's a scenario we are having difficulty with and looking for some insight on.

We have a client site with two WAN connections from different providers for redundancy. They are currently configured as WAN1 and WAN2 in a Failover Group - Failover_GW_Group. WAN1 set as Tier1 and WAN2 set as Tier2, as per the official OpnSense docs. The failover works as expected and switches the default gateway from WAN1 to WAN2 upon failure, and back to WAN1 when the connection is restored. We are using Default Gateway Switching.

All good so far.

However, the client also has an IPSec tunnel (legacy mode) to a cloud provider that we want to failover when the WAN connection changes. When setting up the Phase1 for the tunnel, the Interface options are WAN1, WAN2, LAN and ANY. We can successfully establish the tunnel choosing either WAN1 or WAN2, and it will connect and pass traffic using either interface, however it does not drop and re-establish itself when the WAN fails over. We thought using ANY was the next obvious option but the tunnel does not seem to connect at all.

We do not have control over the remote end of the tunnel, so suggestions such as building a second tunnel etc are not options.

We compared the setup to a working one using pFSense and noted that their IPSec setup allows you to select the GW Group as the interface in the Phase1 setup, whereas OpnSense does not.

We've already committed to using OpnSense for a variety of reasons and would prefer to stay with it.

Any thoughts or suggestions would be most appreciated. Otherwise, is there a way to submit this as a feature request?

If anyone has gotten a legacy IPSec tunnel to automatically switch WAN connections with a failover group configuration and has some tips, many thanks in advance. Not hoping to reinvent the wheel here, just wondering if there's something obvious we have overlooked.

Cheers,
Mike