IPsec Site to Site Failover

[jorgevisentini]

Hi!

Sorry my english.

Is it possible to make an IPsec failover connection with OPNSense?

I want to use 2 links to make a redundancy connection.

In the configuration there is no option to add a second Link/IP.

Is there an alternative?

Thank you.

[thale]

What are you trying to failover?  Do you have a dual-WAN connection and you want your IPSEC connection to switch to the 2nd provider if the primary fails?  Or is it something else?

[jorgevisentini]

Hi thale,

Yes, I have a Dual-WAN connection and I want it when my primary link drops, it goes to the secondary link.

Is there in OPNSense a way to do this?

Thank you for your attention.

[thale]

This assumes that you already have the WAN failover aspect working.

To get IPSEC to failover, you have to define your phase 1s on both sides of the IPSEC link with Distinguished Name.  You can't use the peer address because that address will change and the resulting IPSEC connection attempt will be denied.  Distinguished Name is static.  Also, you would need to have a dynamic DNS for your IP address that will update when the connection switches, and you use the dynamic DNS for your connection IP.  That's about all there is to it if I remember correctly off the top of my head.

[jorgevisentini]

thale, thanks for your help.

This is exactly what I thought until reading in Fortinet materials that they use route metrics, that is, they leave the two phases 1 (with two different Internet IPs) enabled and place metrics / priorities on the routes (this option does not I found it on OPNSense).
I'm still looking for another possible solution hahaha

Well, anyway you've helped clarify my doubt.

Many thanks friend!